Examination of the program "TDForum 1.2", a guest book style, unthreaded messageboard, for sale at http://www.tdscripts.com (http://www.tdavidscripts.com/ aliases the same), revealed a serious client-side security risk to the users of the forum. Because user supplied data is not being sanitized, anyone accessing a forum to read messages may be exposed to malicious HTML scripts within the message bodies. This threat is described in detail at http://www.ciac.org/ciac/bulletins/k-021.shtml and http://www.cert.org/advisories/CA-2000-02.html. Exploitation of this security hole is rather straightforward, though I'll not go into details because of the many CGI programs that have been written by neophytes with this vulnerability and the ready availability of malevolent html scripting snippets on the Net. But now I get to the disturbing part. There is a "LIVE messageboard demo" of this program at http://www.tdscripts.com/tdforum/, but it removes ALL html tags! In other words, the demo program doesn't have the security hole that I found in the program I purchased. When I confronted the author with this fact on the 18th, he threatened me with a lawsuit for harassment and is now trying to discredit me on-line as "insane". Worse though, he seems completely disinclined to alert the people who have purchased the program in the two years he's offered it and issue a patch. Contact information for the company is to be found at http://www.tdscripts.com/contact.html. If anyone cares to look into it, the CRC32 of the program (tdforum12.cgi) I purchased on 07/31/2001, is 81563585 and is dated 6/29/00 9:56 within the zip file. Larry (5-i's) Lung
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 08:28:09 PDT