[23701] in bugtraq
Vulnerability in user posting in Nick.com forums
daemon@ATHENA.MIT.EDU (Danny Ricci)
Fri Jan 4 18:35:52 2002
Date: Fri, 4 Jan 2002 15:37:37 -0500
Mime-Version: 1.0 (Apple Message framework v480)
Content-Type: text/plain; charset=US-ASCII; format=flowed
From: Danny Ricci <danny@dricci.com>
To: bugtraq@securityfocus.com
Content-Transfer-Encoding: 7bit
Message-Id: <E3CB7774-0152-11D6-8176-0003931C466E@dricci.com>
I have discovered a serious flaw in the Nick.com Children's TV Site's
message boards.
Information: Nick.com is a website for Kids whom watch the Nickelodeon
cable channel. They offer a message board area that's moderated heavily
to try to make it one of the safest areas on the net.
Vulnerability: When you create a user and log in to their message board
system (powered by PeopleLink), a JavaScript window pops up with the
forum selection and main content inside. This doesn't work too well with
window resizing/scrolling in Mac OS X (my OS of choice) so I chose to
open the JavaScript's html contents in a new window. This helped the
problem, but reviled a major flaw in their user identification system.
The URL is formed like this:
http://plnk.peoplelink.com/plnk/nickelodeon/boards40/frame.cfm?handle=ANY_USERNAME_HERE&
intgroup=100000910
Handle means the Username of the poster. "intgroup" is the Forum/Message
ID. You can change the "handle" part of the URL to _ANY_ name, including
already registered names. You then can post as any username. However,
all messages take up to 24 hours to be "approved," but if the message is
"clean," it usually will be approved, even if the name is fake. This
has been tested. It was obvious that this was hidden in a JavaScript
popup to probably cover this flaw.
I have contacted the webmaster and the domain's whois contact (which
bounced back). Today the site announced a fix which would take place
Monday:
Fix: Nick.com forum moderators have confirmed they will be switching to
a new message board system this coming Monday, and leaving all former
data behind. This appears to be due to the problem I discovered, however
I was never contacted directly to confirm this.
