Multiple Vulnerabilities in PostBoard ------------------------------------- PostBoard is an add-on module for the PostNuke content management system which implements a forum system. The current version of PostBoard is 2.0.1 and can be found at: www.nukeaddon.com or ftp.dndresources.com. I have discovered 3 problems with it. One of which was originally discovered in another product by someone else. These all exist in the 2.0/2.0.1 version. Descriptions ------------ 1) bbcode IMG tag cross-site scripting PostBoard uses the common bbcode markup system which uses tags similar to html. The [IMG] tag will accept any source including javascript. For example: [IMG]javascript:alert('give me cookies');[/IMG] The above javascript will execute on the victims machine upon viewing a message that contains it. Solution: Only allow URLs that start with 'http://' 2) Topic title cross-site scripting When adding a new topic to a forum the user enters a title for their new topic. The topic title can contain any valid HTML code including <script> tags. For example you can create a topic with the following title and the script will execute when someone views the list of topics in a forum: <script>alert('give me cookies');</script> Solution: Do not allow unsafe HTML in topic titles. There are functions available to do this in the PostNuke API (i.e. pnVarPrepHTMLDisplay). 3) bbcode encoding problems A recent advisory from Whitecell exposed vulnerabilities in phpBB's handling of nested bbcode tags which can lead to database corruption and high CPU usage. PostBoard appears to use the same code as phpBB for encoding bbcode tags to HTML. It would be fair to assume that PostBoard suffers from the same problems as phpBB in this regard. The original advisory by Whitecell can be found here: http://online.securityfocus.com/archive/1/265798 A solution is provided in the above advisory. Note: I have not tested this, but as the code in PostBoard appears to have been pasted from phpBB it's a fairly safe bet the problem exists. Vendor Status ------------- Vendor was notified of Whitecell advisory on the 7th of April. Vendor was notified of problems 1 & 2 on the 8th of April. A reply was received on 9th stating that fixes would be available in the next version. No date was given. I sent the vendor another email on the 13th of April to follow up on progress as there had been a bug fix release which did not contain fixes for any of the above problems. On the 14th of April someone left a message on the PostBoard support forum which sounded like someone had been attacked with one of these problems. He included some detail as to how it was done. I notified the vendor that I would be posting an advisory. On the 16th of April another person reported that they had had their forums redirected to another site, probably via the same method (putting a javascript redirect into a topic title). Still no response from vendor. Workarounds ----------- The only pratical workaround for these problems is to remove PostBoard from your site, or deny access to it until a fix is released. Or try and patch it yourself. Disclaimer ---------- I do not work for, nor am I affiliated with any security related organisation, especially any that might have the same initials as my nickname/handle :) Oh - and a big shout out to the NZ2600 crew, hi guys (and gals)! ;) Thanks! gcsb. __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 23:33:28 PDT