XSS caused by sending information between users in pbboard/pbboard-3.0.4

Valid

Reported on

Jan 30th 2023


Description

The forum allows users to send information. Although the script tag cannot be used, the img tag can also cause xss.And the program can bypass the filtering of the "cookie" string by means of entity encoding.

Video link

You can watch my video through this link first. link

https://drive.google.com/file/d/1psk7-_fok2WcRSKUr9E0kqRiqOVzI2d1/view?usp=share_link

Proof of Concept

1.Login to the forum as any user.

2.Send dangerous messages to admin users.

3.The value of the Message is below

<img src=1 onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#99;&#111;&#111;&#107;&#105;&#101;&#41;">

4.Admin users view the Message sent by the attacker.

Impact

(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting

We are processing your report and will contact the pbboard/pbboard-3.0.4 team within 24 hours. a year ago
Christy__
a year ago

Researcher


hi,@maintainer.We intend to borrow the template of this project, but found this vulnerability during the testing process. I hope you can fix it as soon as possible. And our suggestion is to filter out all on events. You can use "strireplace('/on.*/',' ');" or other code.

PBBoard
a year ago

Maintainer


We have contacted a member of the pbboard/pbboard-3.0.4 team and are waiting to hear back a year ago
PBBoard Forum Software validated this vulnerability a year ago

bug was successfully fixed.

christynorl has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christy__
a year ago

Researcher


@admin,can we assign a cve for this?

Ben Harvie
a year ago

Admin


The maintainer is in control of CVE assignment, they have the option after fixing & publishing. Please refrain from tagging admins for this request, thanks.

Christy__
a year ago

Researcher


hi, @admin ,The bug has been fixed, but the maintainer told me that he had a 'commit sha not found in repository' when marking the report as fixed. Can you mark the report as fixed, thanks.And the commit is https://github.com/pbboard/PBBoard-3.0.4/commit/8c7d596b557589f812dec434c162bd7b1b90973f

Christy__
a year ago

Researcher


hi, @admin ,I contacted the manager of the project through email, but he still couldn't mark this report successfully. the commit is https://github.com/pbboard/PBBoard-3.0.4/commit/8c7d596b557589f812dec434c162bd7b1b90973f . You can also verify whether the vulnerability has been fixed .I hope you can help us, which is very important to me, thank you.

Christy__
a year ago

Researcher


hi, @admin ,could you help us to mark this report as fixed.We have confirmed that the vulnerability was successfully repaired.Thanks

Ben Harvie marked this as fixed in 3.0.4 with commit 8c7d59 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
Ben Harvie
a year ago

Admin


Hey Christy__, the report has now been marked as fixed as requested, thanks!

to join this conversation