what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WoltLab Burning Board 4.0 Tapatalk Cross Site Scripting

WoltLab Burning Board 4.0 Tapatalk Cross Site Scripting
Posted Jan 13, 2015
Site redteam-pentesting.de

WoltLab Burning Board version 4.0 Tapatalk plugin suffers from a cross site scripting vulnerability. Versions 1.0.0 and above but below 1.1.2 are affected.

tags | exploit, xss
advisories | CVE-2014-8869
SHA-256 | 5d11f55fff359670f82ee7eec867318f3c3de3d121e95796ea80115d45a95335

WoltLab Burning Board 4.0 Tapatalk Cross Site Scripting

Change Mirror Download
Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning
Board 4.0

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in the Tapatalk plugin for the WoltLab Burning Board forum software,
which allows attackers to inject arbitrary JavaScript code via URL
parameters.


Details
=======

Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0
Affected Versions: >= 1.0.0
Fixed Versions: 1.1.2
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://tapatalk.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015
Advisory Status: published
CVE: CVE-2014-8869
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869


Introduction
============

"Tapatalk is an app built for interacting with discussion forums on
mobile devices. It differs from a forum’s mobile web skin in that it
offers the speed of a native app and a streamlined unified interface for
every forum a user subscribes to. Tapatalk also creates a unique
eco-system that allows forums to be searched and discovered by millions
of Tapatalk users which in turn promotes content, new memberships, and
interactions."

(from Tapatalk's Homepage)


More Details
============

The Tapatalk extension includes the PHP script welcome.php at the path

com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php

which is accessible via the URL

http://www.example.com/mobiquo/smartbanner/welcome.php

on systems using the plugin. It outputs JavaScript code that includes
improperly encoded values from the two URL parameters "app_android_id"
and "app_kindle_url". Depending on which parameters is used, one of
their values is assigned to the PHP variable $byo:

------------------------------------------------------------------------
<?php
[...]
else if (isset($_GET['app_android_id']))
{
$app_android_id = $_GET['app_android_id'];
if ($app_android_id && $app_android_id != '-1')
$byo = "&app_android_id=$app_android_id";
}
else if (isset($_GET['app_kindle_url']))
{
$app_kindle_url = $_GET['app_kindle_url'];
if ($app_kindle_url && $app_kindle_url != '-1')
$byo = "&app_kindle_url=$app_kindle_url";
}
------------------------------------------------------------------------

Later the $byo variable is used to build a URL without URL encoding it
and the URL is used without further encoding in a script element:

------------------------------------------------------------------------
<?php
[...]
$ads_url = $protocol.'tapatalk.com/welcome_screen.php'
.'?referer='.urlencode($referer)
.'&code='.urlencode($code)
.'&board_url='.urlencode($board_url)
.'&lang='.urlencode($lang)
.$byo
.'&callback=?';
[...]
?>[...]

<script>$.getJSON("<?php echo $ads_url; ?>",function(data){
[...]
------------------------------------------------------------------------


Proof of Concept
================

The following URL can be used to demonstrate the vulnerability:

http://www.example.com/mobiquo/smartbanner/welcome.php
?app_kindle_url=");alert('RedTeam Pentesting');</script><!--

The result is a notification showing the text "RedTeam Pentesting".


Workaround
==========

The PHP function urlencode() should be used to encode the $byo variable
before building a URL with it.


Fix
===

Update the plugin to version 1.1.2.


Security Risk
=============

This security vulnerability is rated as a high risk. It allows to
execute arbitrary JavaScript code in users' browsers if they access URLs
prepared by attackers. This provides many different possibilities for
further attacks against these users. Since the plugin is used for a
bulletin board, the vulnerability could be exploited to display a fake
login page and obtain credentials from users or administrators. The
vulnerability also affects other web applications hosted on the same
domain.


Timeline
========

2014-10-20 Vulnerability identified
2014-10-29 CVE number requested
2014-11-14 CVE number assigned
2014-11-26 Vendor notified via https://tapatalk.com/security.php
2014-12-16 Vendor notified again, received reply from vendor
2014-12-16 Vulnerability patched in SCM [0]
2014-12-23 Updated plugin released by vendor [1]
2015-01-08 Vendor updated release notes to mention XSS [2]
2015-01-12 Advisory released


References
==========

[0] https://github.com/tapatalk/tapatalk-wbb/commit/71024545904024cea9d04a887fdc64b9a9b85871
[1] https://github.com/tapatalk/tapatalk-wbb/commit/31472f6fcfffacd698b0c20809c4a8fb3c4f32f9
[2] https://support.tapatalk.com/threads/19540/#post-146253


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close