CVE-2006-0155

An attacker posts a new message in posts.php containing a [url] bbcode tag with a javascript: URI as the link target, e.g. [url=javascript:alert(xss)]clickme[/url] [ref_id=1]. When another visitor clicks the rendered link, the attacker's JavaScript executes in the context of the victim's browser. No authentication is required to post the malicious message, and the only precondition is that a victim user clicks the crafted link.

The vulnerable code is in posts.php, which handles message posting and bbcode rendering [ref_id=1]. The advisory does not specify the exact function or line, but the defect is in the bbcode parser's handling of the [url] tag — it fails to validate or sanitize the URL scheme before inserting it into an HTML anchor element.

No patch is available for this vulnerability [ref_id=1]. The advisory states that the vendor should sanitize the URL parameter in the bbcode tag handler to reject or properly encode javascript: URIs and other non-HTTP schemes. As of the advisory's publication date, the vendor had not released an update [ref_id=1].

1. Log in to the 427BB forum (registration may be required). 2. Navigate to the "New Message" or "Post Reply" page (posts.php). 3. Enter the following as the message body: [url=javascript:alert(xss)]clickme[/url] [ref_id=1]. 4. Submit the message. 5. Any user who clicks the "clickme" link in the rendered post will trigger the JavaScript alert.