Cross Site Scripting vulnerability in miniBB 1.7 (latest) and earlier

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cross Site Scripting vulnerability in miniBB 1.7 (latest) and earlier
From: Chintan Trivedi <chesschintan@xxxxxxxxxxx>
Date: 28 Dec 2003 13:19:25 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm



====================================================================
Advisory by Eye On Security Research Group - India www.eos-india.net 
====================================================================



1...............................................................Product
2................................................................Vendor
3.........................................................Vulnerability
4.........................................................About Product
5..............................................Details of vulnerability
6...............................................................Exploit
7..............................................................Solution
8...............................................................Credits




1. Product 
==========

miniBB 1.7 (latest) and earlier


2. Vendor
=========

www.minibb.net


3. Vulnerability
================

Cross Site Scripting vulnerability in bb_func_usernfo.php


4. About miniBB
===============

(direct quote from www.minibb.net)

        miniBB ("minimalistic bulletin board") is flat linear (non-tree) 
version of highly customizable bulletin board. It inherits most popular 
features from the bulletin boards the planet has at this moment, with one 
exception: it is very small by size (2-5 times smaller than usual boards), very 
fast and FREE. Mostly miniBB is designed for small and medium Internet-sites, 
but also can be used in large projects. 


5. Details of vulnerability
===========================

        bb_func_usernfo.php contains code to take data from "minibb_users" 
table and display information about a particular user requested. The code for 
displaying website of the any user in bb_func_usernfo.php is as follow :

if ($row[6]!='') $row[6]='<a href="'.$row[6].'" 
target="_blank">'.$row[6].'</a>'; else $row[6]='';

So an attacker can create a login in the forums and in the preferences, give 
his website name as 
http://blah.com";></a>&lt;script&gt;somejavascriptcode&lt;/script&gt;

Hence when others will try to view his profile, the inserted javascript code 
will be executed. The actual bug lies in the "bb_edit_prf.php" file where the 
website name inserted by a user in his preferences is not validated properly.  

6. Exploit
==========

        Create a user in the forums with your website name as 
http://blah.com";></a>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
Now suppose your userid is 5, then just clicking 
http://[target]/index.php?action=userinfo&user=5 will execute the script. 

7. Solution
===========

        Check for the validation of the user data while editing his preferences 
in the "bb_edit_prf.php" file and filter out strings like "&lt;script&gt;", 
quotes, "cookie" etc.


8. Credits
==========

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net

Prev by Date: Buffer-overflow in Jordan's telnet server
Next by Date: IE 5.x-6.0 allows executing arbitrary programs using showHelp()
Previous by thread: Buffer-overflow in Jordan's telnet server
Next by thread: IE 5.x-6.0 allows executing arbitrary programs using showHelp()
Index(es):
- Date
- Thread