Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0
RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Tapatalk plugin for the WoltLab Burning Board forum software, which allows attackers to inject arbitrary JavaScript code via URL parameters.
Details
- Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0
- Affected Versions: >= 1.0.0
- Fixed Versions: 1.1.2
- Vulnerability Type: Cross-Site Scripting
- Security Risk: high
- Vendor URL:
https://tapatalk.com
- Vendor Status: fixed version released
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2014-015
- Advisory Status: published
- CVE: CVE-2014-8869
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869
Introduction
“Tapatalk is an app built for interacting with discussion forums on mobile devices. It differs from a forum’s mobile web skin in that it offers the speed of a native app and a streamlined unified interface for every forum a user subscribes to. Tapatalk also creates a unique eco-system that allows forums to be searched and discovered by millions of Tapatalk users which in turn promotes content, new memberships, and interactions.”
(from Tapatalk’s Homepage)
More Details
The Tapatalk extension includes the PHP script welcome.php at the path
com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php
which is accessible via the URL
http://www.example.com/mobiquo/smartbanner/welcome.php
on systems using the plugin. It outputs JavaScript code that includes improperly encoded values from the two URL parameters “app_android_id” and “app_kindle_url”. Depending on which parameters is used, one of their values is assigned to the PHP variable $byo:
<?php
[...]
else if (isset($_GET['app_android_id']))
{
$app_android_id = $_GET['app_android_id'];
if ($app_android_id && $app_android_id != '-1')
$byo = "&app_android_id=$app_android_id";
}
else if (isset($_GET['app_kindle_url']))
{
$app_kindle_url = $_GET['app_kindle_url'];
if ($app_kindle_url && $app_kindle_url != '-1')
$byo = "&app_kindle_url=$app_kindle_url";
}
Later the $byo variable is used to build a URL without URL encoding it and the URL is used without further encoding in a script element:
<?php
[...]
$ads_url = $protocol.'tapatalk.com/welcome_screen.php'
.'?referer='.urlencode($referer)
.'&code='.urlencode($code)
.'&board_url='.urlencode($board_url)
.'&lang='.urlencode($lang)
.$byo
.'&callback=?';
[...]
?>[...]
<script>$.getJSON("<?php echo $ads_url; ?>",function(data){
[...]
Proof of Concept
The following URL can be used to demonstrate the vulnerability:
http://www.example.com/mobiquo/smartbanner/welcome.php?app_kindle_url=");alert('RedTeam Pentesting');\</script\>\<!--
The result is a notification showing the text “RedTeam Pentesting”.
Workaround
The PHP function urlencode() should be used to encode the $byo variable before building a URL with it.
Fix
Update the plugin to version 1.1.2.
Security Risk
This security vulnerability is rated as a high risk. It allows to execute arbitrary JavaScript code in users’ browsers if they access URLs prepared by attackers. This provides many different possibilities for further attacks against these users. Since the plugin is used for a bulletin board, the vulnerability could be exploited to display a fake login page and obtain credentials from users or administrators. The vulnerability also affects other web applications hosted on the same domain.
Timeline
- 2014-10-20 Vulnerability identified
- 2014-10-29 CVE number requested
- 2014-11-14 CVE number assigned
- 2014-11-26 Vendor notified via
https://tapatalk.com/security.php
- 2014-12-16 Vendor notified again, received reply from vendor
- 2014-12-16 Vulnerability patched in SCM (https://github.com/tapatalk/tapatalk-wbb/commit/71024545904024cea9d04a887fdc64b9a9b85871)
- 2014-12-23 Updated plugin released by vendor (https://github.com/tapatalk/tapatalk-wbb/commit/31472f6fcfffacd698b0c20809c4a8fb3c4f32f9)
- 2015-01-08 Vendor updated release notes to mention XSS (https://support.tapatalk.com/threads/19540/#post-146253)
- 2015-01-12 Advisory released
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.