WebBBS Guestbook : Cross Site Scripting

lavieangel_at_mydomain.com
Date: 06/27/03

  • Next message: Roman Bogorodskiy: "Re: Bahamut IRCd <= 1.4.35 and several derived daemons"
    Date: Fri, 27 Jun 2003 01:43:35 +0100 (BST)
    To: <bugtraq@securityfocus.com>
    
    

                  WebBBS Guestbook : Cross Site Scripting

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Program : WebBBS
    Url vendor : http://awsd.com/scripts/webbbs/
    Problem : Multiple Cross Site Scripting Vulnerabilities
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Author : Thierry LAVIE (contact@lavieangel.com)
    Www : www.lavieangel.com
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    DESCRIPTION :
    ~~~~~~~~~~~~~
    WebBBS is, as the name implies, a Web-based bulletin board. Unlike most
    other such boards, though, WebBBS stores messages as simple text files and
    creates HTML pages "on the fly." This means that the message index can be
    tailored by the user based on date and/or subject (via built-in keyword
    search capability), and can be viewed as threaded, chronological or
    "guestbook-style" lists. A wide variety of options are available both to
    the administrator and to the users, and "behind-the scenes" administrative
    tasks (editing and deleting of messages, etc.) are a breeze! WebBBS
    supports automatic quoting of message text and e-mail notification of
    those who want to know immediately when a new message has been posted. It
    also offers an archive-only option, the ability to run moderated boards,
    and "cookie" support!

    PROBLEM :
    ~~~~~~~~~
    When you sign the guestbook, it's possible to include codes into
    the 'Name', 'Email' or 'Message' fields. Then when the guestbook
    is viewed, the code is executed (client side).

    EXPLOIT :
    ~~~~~~~~~
    For example, by including the following javascript code into one
    of the 3 fields, the guestbook would be out of service, because when
    requested, it would immediatly redirect every clients to 'www.toto.com'.

    <script>window.location.replace("http://www.toto.com");</script>

    SOLUTION :
    ~~~~~~~~~~
    No solution yet, vendor has been informed by mail.


  • Next message: Roman Bogorodskiy: "Re: Bahamut IRCd <= 1.4.35 and several derived daemons"