WoltLab Burning Board 4.0 Tapatalk Cross Site Scripting

`Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning  
Board 4.0  
  
RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability  
in the Tapatalk plugin for the WoltLab Burning Board forum software,  
which allows attackers to inject arbitrary JavaScript code via URL  
parameters.  
  
  
Details  
=======  
  
Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0  
Affected Versions: >= 1.0.0  
Fixed Versions: 1.1.2  
Vulnerability Type: Cross-Site Scripting  
Security Risk: high  
Vendor URL: https://tapatalk.com  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015  
Advisory Status: published  
CVE: CVE-2014-8869  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869  
  
  
Introduction  
============  
  
"Tapatalk is an app built for interacting with discussion forums on  
mobile devices. It differs from a forum’s mobile web skin in that it  
offers the speed of a native app and a streamlined unified interface for  
every forum a user subscribes to. Tapatalk also creates a unique  
eco-system that allows forums to be searched and discovered by millions  
of Tapatalk users which in turn promotes content, new memberships, and  
interactions."  
  
(from Tapatalk's Homepage)  
  
  
More Details  
============  
  
The Tapatalk extension includes the PHP script welcome.php at the path  
  
com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php  
  
which is accessible via the URL  
  
http://www.example.com/mobiquo/smartbanner/welcome.php  
  
on systems using the plugin. It outputs JavaScript code that includes  
improperly encoded values from the two URL parameters "app_android_id"  
and "app_kindle_url". Depending on which parameters is used, one of  
their values is assigned to the PHP variable $byo:  
  
------------------------------------------------------------------------  
<?php  
[...]  
else if (isset($_GET['app_android_id']))  
{  
$app_android_id = $_GET['app_android_id'];  
if ($app_android_id && $app_android_id != '-1')  
$byo = "&app_android_id=$app_android_id";  
}  
else if (isset($_GET['app_kindle_url']))  
{  
$app_kindle_url = $_GET['app_kindle_url'];  
if ($app_kindle_url && $app_kindle_url != '-1')  
$byo = "&app_kindle_url=$app_kindle_url";  
}  
------------------------------------------------------------------------  
  
Later the $byo variable is used to build a URL without URL encoding it  
and the URL is used without further encoding in a script element:  
  
------------------------------------------------------------------------  
<?php  
[...]  
$ads_url = $protocol.'tapatalk.com/welcome_screen.php'  
.'?referer='.urlencode($referer)  
.'&code='.urlencode($code)  
.'&board_url='.urlencode($board_url)  
.'&lang='.urlencode($lang)  
.$byo  
.'&callback=?';  
[...]  
?>[...]  
  
<script>$.getJSON("<?php echo $ads_url; ?>",function(data){  
[...]  
------------------------------------------------------------------------  
  
  
Proof of Concept  
================  
  
The following URL can be used to demonstrate the vulnerability:  
  
http://www.example.com/mobiquo/smartbanner/welcome.php  
?app_kindle_url=");alert('RedTeam Pentesting');</script><!--  
  
The result is a notification showing the text "RedTeam Pentesting".  
  
  
Workaround  
==========  
  
The PHP function urlencode() should be used to encode the $byo variable  
before building a URL with it.  
  
  
Fix  
===  
  
Update the plugin to version 1.1.2.  
  
  
Security Risk  
=============  
  
This security vulnerability is rated as a high risk. It allows to  
execute arbitrary JavaScript code in users' browsers if they access URLs  
prepared by attackers. This provides many different possibilities for  
further attacks against these users. Since the plugin is used for a  
bulletin board, the vulnerability could be exploited to display a fake  
login page and obtain credentials from users or administrators. The  
vulnerability also affects other web applications hosted on the same  
domain.  
  
  
Timeline  
========  
  
2014-10-20 Vulnerability identified  
2014-10-29 CVE number requested  
2014-11-14 CVE number assigned  
2014-11-26 Vendor notified via https://tapatalk.com/security.php  
2014-12-16 Vendor notified again, received reply from vendor  
2014-12-16 Vulnerability patched in SCM [0]  
2014-12-23 Updated plugin released by vendor [1]  
2015-01-08 Vendor updated release notes to mention XSS [2]  
2015-01-12 Advisory released  
  
  
References  
==========  
  
[0] https://github.com/tapatalk/tapatalk-wbb/commit/71024545904024cea9d04a887fdc64b9a9b85871  
[1] https://github.com/tapatalk/tapatalk-wbb/commit/31472f6fcfffacd698b0c20809c4a8fb3c4f32f9  
[2] https://support.tapatalk.com/threads/19540/#post-146253  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`