COMMAND

	postboard css vunerabilities and bbcode encoding problems

SYSTEMS AFFECTED

	Postboard 2.0/2.0.1

PROBLEM

	gcsb reported following :
	

	PostBoard is an  add-on  module  for  the  PostNuke  content  management
	system  which  implements  a  forum  system.  The  current  version   of
	PostBoard is 2.0.1 and can be found at:
	

	http://www.nukeaddon.com or ftp://ftp.dndresources.com

	

	

	I have discovered 3 problems  with  it.  One  of  which  was  originally
	discovered in another product by someone else. These all  exist  in  the
	2.0/2.0.1 version.
	

	 Descriptions

	 ============

	

	1) bbcode IMG tag cross-site scripting
	

	PostBoard uses the common bbcode markup system which uses  tags  similar
	to html. The [IMG] tag will accept any source including javascript.  For
	example:
	

	

	[IMG]javascript:alert(\'give me cookies\');[/IMG]

	

	

	The above javascript will execute on the victims machine upon viewing  a
	message that contains it.
	

	

	

	2) Topic title cross-site scripting
	

	When adding a new topic to a forum the user enters  a  title  for  their
	new topic. The topic title can contain any  valid  HTML  code  including
	<script> tags. For example you can create a topic with the  following
	title and the script will execute when someone views the list of  topics
	in a forum:
	

	

	<script>alert(\'give me cookies\');</script>

	

	

	3) bbcode encoding problems
	

	A recent advisory from Whitecell  exposed  vulnerabilities  in  phpBB\'s
	handling of nested bbcode tags which can  lead  to  database  corruption
	and high CPU usage.
	

	PostBoard appears to use the same code  as  phpBB  for  encoding  bbcode
	tags to HTML. It would be fair to assume  that  PostBoard  suffers  from
	the same problems as phpBB in this regard.
	

	The original advisory by Whitecell can be found here:
	

	

	http://online.securityfocus.com/archive/1/265798

	http://dev.securitybugware.org/Other/5245.html

	

	

	A solution is provided in the above advisory.
	

	Note: I have not tested this, but as the code in  PostBoard  appears  to
	have been pasted from phpBB it\'s a fairly safe bet the problem exists.

SOLUTION

	

	1) Only allow URLs that start with \'http://\'
	

	2) Do not allow  unsafe  HTML  in  topic  titles.  There  are  functions
	available to do this in the PostNuke API (i.e. pnVarPrepHTMLDisplay).
	

	 Workarounds

	 ===========

	

	The only pratical workaround for these problems is to  remove  PostBoard
	from your site, or deny access to it until a fix  is  released.  Or  try
	and patch it yourself.