![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
Subject: [ARL02-A09] Board-TNK Cross Site Scripting Vulnerability
Date: 16 Mar 2002 23:10:13 -0000
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A09 ----/----------/+
+/-----------\----- salper@olympos.org ---/-----------/+
Advisory Information
--------------------
Name : Board-TNK Cross Site Scripting
Vulnerability
Software Package : Board-TNK
Vendor Homepage : http://www.linux-sottises.net/
Vulnerable Versions: v1.3.0 and probably others
Platforms : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted : 15/03/2002
Vendor Replied : 15/03/2002
Prior Problems : N/A
Current Version : v1.3.1 (immune)
Summary
-------
Board-TNK is a discussion board written in PHP
(versions for both PHP3 and PHP4 are available).
It has support for multiple forums, use of cookies
for showing users new messages since their last
visit and storing their information to simplify
new posts, a choice of smiley icons for each
message, ability to use a subset of HTML within
the messages, multiple language support (English,
French, German, Dutch, Italian, Turkish, and
Spanish), and a full admin page that allows you to
create and delete forums, entire threads, or answers
from a thread. It is possible to prefix the MySQL
tables if only one database is allowed on an ISP
server.
A Cross Site Scripting vulnerability exists in
Board-TNK forums. This would allow a remote
attacker to send information to victims from untrusted
web servers, and make it look as if the information
came from the legitimate server.
Details
-------
The URL's and the user input seem to be filtered
pretty good. But I guess that the coders have missed
a point. The "WEB" input when replying or creating
topics, is not filtered enough. So a Cross Site
Scripting vulnerability exists in Board-TNK forums.
Example input for the "WEB" input
<script>alert("ALPERz was here!")</script>
After submitting this information, whenever anyone
browses the page where the topic is, the script will
take effect.
Solution
--------
The vendor replied to my mail and released a new
version which is immune to this vulnerability very
quickly (on the same day :})
You may download the new version or use the
method suggested by me, and approved by the
vendor, if you have made any modifications to the
board.
Strip HTML tags, and possibly other malicious code
within "xx_board.php". Where xx is the specified
forum language (Eg: en for English). Default for that
is "board.php".
I suggest the following as a workaround;
At the beginning of "board.php" add the lines below;
# Patch Start
$web_post= strip_tags ($web_post);
# Patch End
Credits
-------
Discovered on 15, March, 2002 by
Ahmet Sabri ALPER
salper@olympos.org
http://www.olympos.org
References
----------
Product Web Page: http://www.linux-sottises.net/