CVE-2012-4019

Vulnerability

Tokyo BBS, a CGI application provided by Come on Girls Interface, contains a cross-site scripting (XSS) vulnerability in tokyo_bbs.cgi. An attacker can inject arbitrary web script or HTML through vectors related to the error page, where user-controlled input (such as the filename in $FILE{'gsCustoFile'}) is directly printed without sanitization. Affected versions are all distributions of Tokyo BBS; the product is no longer maintained [1][2].

Exploitation

The vulnerability is remotely exploitable without authentication, though some user interaction (e.g., tricking a victim into visiting a crafted URL) may be required. By crafting a malicious URL or input that triggers the error page, an attacker can inject JavaScript or HTML that executes in the context of the victim's browser session [1][2][3]. The specific vector involves the error message on line 179 of the script, where the original code prints the unsanitized $FILE{'gsCustoFile'} value [3].

Impact

Successful exploitation allows an attacker to execute arbitrary script in the user's web browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The CVSS v2 base score is 4.3 (Medium), with partial integrity impact and no direct confidentiality or availability impact [2].

Mitigation

A patch is available by replacing the tokyo_bbs.cgi file with the updated version from the developer's archive (http://c61.org/archives/tokyo_bbs.zip). Alternatively, users can manually edit line 179 to remove the vulnerable variable. However, the developer states that Tokyo BBS is no longer supported or distributed [1][3]. Users are strongly advised to apply the patch or migrate to a different bulletin board solution [2].