Further examination of this program revealed: 1.) As stated previously, versions 1.2 and earlier of the program allowed any and all html tags, excepting comments, to be entered into both the message and name fields and then embedded into the message forum unchecked. This allows an attacker to expose the users of the forum to malicious javascript. 2.) Because the name of the poster is displayed within the form body of the administration interface before the Submit button, if the attacker enters a Name of "</FORM>", the message cannot be removed by that interface. 3.) Once the administrator would realize that they could not directly remove the offensive code from the index file, where most of the users of the forum would be coming directly to through their bookmarks, they would most likely think to archive the existing messages and place a warning on the new index so no one would be exposed by going back there until it was removed. But, the program only allows archiving once a day. 4.) Finally, the program writes the forum file with permissions of 0644, which requires either intermediate-level telnet commands (which may not be available on that account) or another CGI program to get rid of or modify the page. And since most people that buy $20 programs aren't going to be versed in either of those and most people that administer message forums take them quite seriously, a programmer would most likely have to be called in on an emergency to take care of the problem. Now, I'm not implying that this program was written this way intentionally, but I will say I have never seen a commercial product with a vulnerability this pronounced before and hope that I never will again. After e-mailing the author/distributor of this script twice with these concerns, he contacted me by phone. During that lengthy conversation (recorded within Louisiana's one party consent law) Mr. Russell told me that: 1.) He felt the (provably incomplete) e-mail notification to registered users of the program was adequate to rectify this error, though he acknowledged there was never an effort made to verify the e-mail addresses at the time of registration and that some valid e-mails may have changed since the time of purchase. 2.) It was the customer's responsibility to decide whether or not they should "upgrade" and he couldn't be held responsible if they decided it wasn't worth the trouble. 3.) He had only sold 57 copies of the script and so what little money he made from it justified a minimal effort on his part to correct the security risk he'd distributed. 4.) He considers a .01 bump in version (from 1.2 to 1.21) was justifiable because he didn't think it was all that big of a deal, though this is given a security risk rating of "high" in the cert advisory (http://www.cert.org/advisories/CA-2000-02.html) that deals with this specific vulnerability. The conversation was also sprinkled with a number of veiled threats, unfounded accusations of having "hacked his server a number of times" and two somewhat humorous attempts at blackmail. This resulted in me sending an (admittedly, somewhat nasty) e-mail that resulted in a full refund of the two scripts I purchased from him. I feel he has minimized the risk his customer's run in continued usage of tdforum versions 1.2 and earlier, as evidenced at: http://www.webwitch.com/tdforum/notebook.html 8-23-2001 20:22 http://www.access-ability.co.uk/tdforum/index.html Message #71 http://www.gracecom.org/plaza/plaza_index.html no message number, since removed http://www.greatlakeswebmasters.com/members/tdforum/index.html Message #103 where version 1.2 is still in use and "test</BIG>" was allowed to be entered into the message forum. However, I am at a loss as to how to make a person responsible enough to properly address problems with his product, especially when they fail to acknowledge that there even is a problem. Larry (5-i's) Lung
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 12:21:05 PDT