Multiple Vulnerabilities in PostBoard

[gcsb <gcsbnz () yahoo com>]

Multiple Vulnerabilities in PostBoard
-------------------------------------

PostBoard is an add-on module for the PostNuke content
management system which implements a forum system. 
The current version of PostBoard is 2.0.1 and can be
found at:
www.nukeaddon.com or ftp.dndresources.com.

I have discovered 3 problems with it. One of which was
originally discovered in another product by someone
else. These all exist in the 2.0/2.0.1 version.

Descriptions
------------

1) bbcode IMG tag cross-site scripting

PostBoard uses the common bbcode markup system which
uses tags similar to html. The [IMG] tag will accept 
any source including javascript. For example:

[IMG]javascript:alert('give me cookies');[/IMG]

The above javascript will execute on the victims 
machine upon viewing a message that contains it.

Solution: Only allow URLs that start with 'http://'


2) Topic title cross-site scripting

When adding a new topic to a forum the user enters a
title for their new topic. The topic title can contain
any valid HTML code including <script> tags. 
For example you can create a topic with the following
title and the script will execute when someone views 
the list of topics in a forum:

<script>alert('give me cookies');</script>

Solution: Do not allow unsafe HTML in topic titles.
There are functions available to do this in 
the PostNuke API (i.e. pnVarPrepHTMLDisplay).


3) bbcode encoding problems

A recent advisory from Whitecell exposed 
vulnerabilities in phpBB's handling of nested 
bbcode tags which can lead to database 
corruption and high CPU usage.

PostBoard appears to use the same code as phpBB for 
encoding bbcode tags to HTML. It would be fair to 
assume that PostBoard suffers from the same 
problems as phpBB in this regard.

The original advisory by Whitecell can be found here:

http://online.securityfocus.com/archive/1/265798

A solution is provided in the above advisory.

Note: I have not tested this, but as the code in 
PostBoard appears to have been pasted from phpBB it's 
a fairly safe bet the problem exists.

Vendor Status
-------------

Vendor was notified of Whitecell advisory on the 7th
of April.

Vendor was notified of problems 1 & 2 on the 8th of
April.

A reply was received on 9th stating that fixes would 
be available in the next version. No date was given.

I sent the vendor another email on the 13th of April
to follow up on progress as there had been a bug fix
release which did not contain fixes for any of the
above problems.

On the 14th of April someone left a message on the
PostBoard support forum which sounded like someone had
been attacked with one of these problems. He included
some detail as to how it was done. I notified the
vendor that I would be posting an advisory.

On the 16th of April another person reported that
they had had their forums redirected to another
site, probably via the same method (putting a 
javascript redirect into a topic title). Still no
response from vendor.


Workarounds
-----------

The only pratical workaround for these problems is to
remove PostBoard from your site, or deny access to it
until a fix is released. Or try and patch it yourself.


Disclaimer
----------

I do not work for, nor am I affiliated with any 
security related organisation, especially any that 
might have the same initials as my nickname/handle :)

Oh - and a big shout out to the NZ2600 crew, hi guys
(and gals)! ;)

Thanks!
gcsb.



__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/