WebBBS Guestbook : Cross Site Scripting


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Program    : WebBBS
Url vendor : http://awsd.com/scripts/webbbs/
Problem    : Multiple Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Author     : Thierry LAVIE (contact@lavieangel.com)
Www        : www.lavieangel.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


DESCRIPTION :
~~~~~~~~~~~~~
WebBBS is, as the name implies, a Web-based bulletin board. Unlike most
other such boards, though, WebBBS stores messages as simple text files and
creates HTML pages "on the fly." This means that the message index can be
tailored by the user based on date and/or subject (via built-in keyword
search capability), and can be viewed as threaded, chronological or
"guestbook-style" lists. A wide variety of options are available both to
the administrator and to the users, and "behind-the scenes" administrative
tasks (editing and deleting of messages, etc.) are a breeze! WebBBS
supports automatic quoting of message text and e-mail notification of
those who want to know immediately when a new message has been posted. It
also offers an archive-only option, the ability to run moderated boards,
and "cookie" support!



PROBLEM :
~~~~~~~~~
When you sign the guestbook, it's possible to include codes into
the 'Name', 'Email' or 'Message' fields. Then when the guestbook
is viewed, the code is executed (client side).


EXPLOIT :
~~~~~~~~~
For example, by including the following javascript code into one
of the 3 fields, the guestbook would be out of service, because when
requested, it would immediatly redirect every clients to 'www.toto.com'.

<script>window.location.replace("http://www.toto.com");</script>


SOLUTION :
~~~~~~~~~~
No solution yet, vendor has been informed by mail.