tdforum 1.2 Messageboard

[fiveyes () iiiii com (5-i's)]

Examination of the program "TDForum 1.2", a guest book style,
unthreaded messageboard, for sale at http://www.tdscripts.com
(http://www.tdavidscripts.com/ aliases the same), revealed a serious
client-side security risk to the users of the forum.  Because user
supplied data is not being sanitized, anyone accessing a forum to read
messages may be exposed to malicious HTML scripts within the message
bodies.  This threat is described in detail at
http://www.ciac.org/ciac/bulletins/k-021.shtml and
http://www.cert.org/advisories/CA-2000-02.html.

Exploitation of this security hole is rather straightforward, though
I'll not go into details because of the many CGI programs that have
been written by neophytes with this vulnerability and the ready
availability of malevolent html scripting snippets on the Net.

But now I get to the disturbing part.  There is a "LIVE messageboard
demo" of this program at http://www.tdscripts.com/tdforum/, but it
removes ALL html tags!  In other words, the demo program doesn't have
the security hole that I found in the program I purchased.  When I
confronted the author with this fact on the 18th, he threatened me
with a lawsuit for harassment and is now trying to discredit me
on-line as "insane".  Worse though, he seems completely disinclined to
alert the people who have purchased the program in the two years he's
offered it and issue a patch.

Contact information for the company is to be found at
http://www.tdscripts.com/contact.html.  If anyone cares to look into
it, the CRC32 of the program (tdforum12.cgi) I purchased on
07/31/2001, is 81563585 and is dated 6/29/00 9:56 within the zip file.

Larry (5-i's) Lung