OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Sat Mar 16 2002 - 17:10:13 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A09 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : Board-TNK Cross Site Scripting
    Vulnerability
    Software Package : Board-TNK
    Vendor Homepage : http://www.linux-sottises.net/
    Vulnerable Versions: v1.3.0 and probably others
    Platforms : Linux
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 15/03/2002
    Vendor Replied : 15/03/2002
    Prior Problems : N/A
    Current Version : v1.3.1 (immune)


    Summary
    -------
    Board-TNK is a discussion board written in PHP
    (versions for both PHP3 and PHP4 are available).
    It has support for multiple forums, use of cookies
    for showing users new messages since their last
    visit and storing their information to simplify
    new posts, a choice of smiley icons for each
    message, ability to use a subset of HTML within
    the messages, multiple language support (English,
    French, German, Dutch, Italian, Turkish, and
    Spanish), and a full admin page that allows you to
    create and delete forums, entire threads, or answers
    from a thread. It is possible to prefix the MySQL
    tables if only one database is allowed on an ISP
    server.

    A Cross Site Scripting vulnerability exists in
    Board-TNK forums. This would allow a remote
    attacker to send information to victims from untrusted
    web servers, and make it look as if the information
    came from the legitimate server.


    Details
    -------
    The URL's and the user input seem to be filtered
    pretty good. But I guess that the coders have missed
    a point. The "WEB" input when replying or creating
    topics, is not filtered enough. So a Cross Site
    Scripting vulnerability exists in Board-TNK forums.


    Example input for the "WEB" input
    <script>alert("ALPERz was here!")</script>

    After submitting this information, whenever anyone
    browses the page where the topic is, the script will
    take effect.


    Solution
    --------
    The vendor replied to my mail and released a new
    version which is immune to this vulnerability very
    quickly (on the same day :})

    You may download the new version or use the
    method suggested by me, and approved by the
    vendor, if you have made any modifications to the
    board.

    Strip HTML tags, and possibly other malicious code
    within "xx_board.php". Where xx is the specified
    forum language (Eg: en for English). Default for that
    is "board.php".

    I suggest the following as a workaround;
    At the beginning of "board.php" add the lines below;

    # Patch Start
    $web_post= strip_tags ($web_post);
    # Patch End


    Credits
    -------
    Discovered on 15, March, 2002 by
    Ahmet Sabri ALPER
    salperolympos.org
    http://www.olympos.org


    References
    ----------
    Product Web Page: http://www.linux-sottises.net/