Multiple Vulnerabilities in PostBoard
-------------------------------------
PostBoard is an add-on module for the PostNuke content
management system which implements a forum system.
The current version of PostBoard is 2.0.1 and can be
found at:
www.nukeaddon.com or ftp.dndresources.com.
I have discovered 3 problems with it. One of which was
originally discovered in another product by someone
else. These all exist in the 2.0/2.0.1 version.
Descriptions
------------
1) bbcode IMG tag cross-site scripting
PostBoard uses the common bbcode markup system which
uses tags similar to html. The [IMG] tag will accept
any source including javascript. For example:
[IMG]javascript:alert('give me cookies');[/IMG]
The above javascript will execute on the victims
machine upon viewing a message that contains it.
Solution: Only allow URLs that start with 'http://'
2) Topic title cross-site scripting
When adding a new topic to a forum the user enters a
title for their new topic. The topic title can contain
any valid HTML code including <script> tags.
For example you can create a topic with the following
title and the script will execute when someone views
the list of topics in a forum:
<script>alert('give me cookies');</script>
Solution: Do not allow unsafe HTML in topic titles.
There are functions available to do this in
the PostNuke API (i.e. pnVarPrepHTMLDisplay).
3) bbcode encoding problems
A recent advisory from Whitecell exposed
vulnerabilities in phpBB's handling of nested
bbcode tags which can lead to database
corruption and high CPU usage.
PostBoard appears to use the same code as phpBB for
encoding bbcode tags to HTML. It would be fair to
assume that PostBoard suffers from the same
problems as phpBB in this regard.
The original advisory by Whitecell can be found here:
http://online.securityfocus.com/archive/1/265798
A solution is provided in the above advisory.
Note: I have not tested this, but as the code in
PostBoard appears to have been pasted from phpBB it's
a fairly safe bet the problem exists.
Vendor Status
-------------
Vendor was notified of Whitecell advisory on the 7th
of April.
Vendor was notified of problems 1 & 2 on the 8th of
April.
A reply was received on 9th stating that fixes would
be available in the next version. No date was given.
I sent the vendor another email on the 13th of April
to follow up on progress as there had been a bug fix
release which did not contain fixes for any of the
above problems.
On the 14th of April someone left a message on the
PostBoard support forum which sounded like someone had
been attacked with one of these problems. He included
some detail as to how it was done. I notified the
vendor that I would be posting an advisory.
On the 16th of April another person reported that
they had had their forums redirected to another
site, probably via the same method (putting a
javascript redirect into a topic title). Still no
response from vendor.
Workarounds
-----------
The only pratical workaround for these problems is to
remove PostBoard from your site, or deny access to it
until a fix is released. Or try and patch it yourself.
Disclaimer
----------
I do not work for, nor am I affiliated with any
security related organisation, especially any that
might have the same initials as my nickname/handle :)
Oh - and a big shout out to the NZ2600 crew, hi guys
(and gals)! ;)
Thanks!
gcsb.
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 23:33:28 PDT