Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WebBBS Guest Book Input Validation Flaw Permits Remote Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1007075
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 27 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Description: An input validation vulnerability was reported in WebBBS in the guest book. A remote user can conduct cross-site scripting attacks.
It is reported that the software does not filter HTML code from user-supplied input from the 'Name', 'Email', and 'Message' fields.
A remote user can insert specially crafted text so that when a target user views the guest book entry, arbitrary scripting code
will be executed by the target user's browser. The code will originate from the site running the WebBBS software and will run in
the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
The vendor has reportedly been notified.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
WebBBS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: awsd.com/scripts/webbbs/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: <lavieangel@mydomain.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 27 Jun 2003 01:43:35 +0100 (BST)
From: <lavieangel@mydomain.com>
Subject: WebBBS Guestbook : Cross Site Scripting
|
WebBBS Guestbook : Cross Site Scripting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Program : WebBBS
Url vendor : http://awsd.com/scripts/webbbs/
Problem : Multiple Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Author : Thierry LAVIE (contact@lavieangel.com)
Www : www.lavieangel.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DESCRIPTION :
~~~~~~~~~~~~~
WebBBS is, as the name implies, a Web-based bulletin board. Unlike most
other such boards, though, WebBBS stores messages as simple text files and
creates HTML pages "on the fly." This means that the message index can be
tailored by the user based on date and/or subject (via built-in keyword
search capability), and can be viewed as threaded, chronological or
"guestbook-style" lists. A wide variety of options are available both to
the administrator and to the users, and "behind-the scenes" administrative
tasks (editing and deleting of messages, etc.) are a breeze! WebBBS
supports automatic quoting of message text and e-mail notification of
those who want to know immediately when a new message has been posted. It
also offers an archive-only option, the ability to run moderated boards,
and "cookie" support!
PROBLEM :
~~~~~~~~~
When you sign the guestbook, it's possible to include codes into
the 'Name', 'Email' or 'Message' fields. Then when the guestbook
is viewed, the code is executed (client side).
EXPLOIT :
~~~~~~~~~
For example, by including the following javascript code into one
of the 3 fields, the guestbook would be out of service, because when
requested, it would immediatly redirect every clients to 'www.toto.com'.
<script>window.location.replace("http://www.toto.com");</script>
SOLUTION :
~~~~~~~~~~
No solution yet, vendor has been informed by mail.
|
|
Go to the Top of This SecurityTracker Archive Page
|
