Sentinel Chicken Networks Security Advisory #02

Prospero¤ Message Boards Cross-Site Scripting Vulnerability

Date: Feb 10, 2002
Risk: Low
Websites: www.wto.org, www.aarp.org, www.csmonitor.com, www.about.com, and many others listed on:
  http://www.prospero.com/clients.htm

Vendor was contacted about this problem on Jan 13, 2002.
Vendor agreed there was a problem and attempted a fix, which is not complete.

Product Description

Prospero MessageBoards¤ is a web application for holding forums and chat boards on just about any topic. More information is available on Prospero's website¤.

Problem Overview

The message boards application has a cross-site scripting vulnerability present that would allow an attacker to post client-side scripts (JavaScript, VBScript, etc) and have them show up, un-escaped when viewed by others.
There are a variety of things that can be acheived by such an attack, not all of which will be presented in this advisory. One possible scenario would be the MessageBoard account theft of the user viewing the page.

Technical Details

When posting a message to the MessageBoard application, users are presented with the option of using html in their message. If this option is selected, a user can slip any un-escaped webpage content into the message, to be later viewed by other users. Since cookies are used in the authentication of users to this website, an un-suspecting user could have this information stolen by the attacker's client-side script. Later, the attacker could then post messages as if they were the victim. Before the vendor was originally notified, any HTML/JavaScript at all could be slipped through. Now only certain malicious text may be slipped through.

An example of a script that could be posted:
<b
<input type="button" value="Cookie for you"onClick="alert(document.cookie)"
>CLICK HERE FOR IMPORTANT DOCUMENT>
</b>
Also, a sample message which demonstrates this can be found at:
  http://community.aarp.org/rp-mygeneration/messages?msg=36.31

Possibly a more serious problem lies in the way these message boards allow such an attack to reach so many users through an anonymous website. Given the recent vulnerabilities in Microsoft¤ Internet Explorer¤, and other browsers, an attacker could potentially post a message which steals much more than just cookies. Other types of widespread attacks are left up to the reader's imagination.

In addition to this problem, it was also noticed that after creating an account on www.wto.org, access was granted as that same user on www.staples.com. While the value of seperate user namespaces for each site run by Prospero¤ may be small, but the fact that users are thrown in to the same pool is a very bad security practice and should be noted by the vendor.

Credits

Discovered by:
  Tim Morgan


¤ Names, marks, products, and gadgets listed in this advisory are owned by their respective, paranoid, companies.

This advisory is intended for educational use only. The author(s) will not take responsibility for the consequences of it's dissemination.




Content on this page, unless otherwise indicated, is © 2002-2010 Sentinel Chicken Networks.
Reproduction is authorized under our terms.