The interesting part of this bug is the fact that its exploitable on some very large sites, and is open to a large number of users. Bulletin boards in particular allow inline image posting, and this is what creates the problem...inline images in a system with cookie based authentication. EZBoard, UBB, and IkonBoard are all big time products, and are open to both sides of the vulnerability within the programs. A ticket solution would work, but wouldn't be any more helpful than checking for POST vs. GET. JavaScript, IIRC, can access form elements in another page. So, I could simply load poll_questions.php into a frame, check the values of the hidden <input> tags, and then create a POST submission using that ticket. The reason for the POST vs. GET fix is that bulletin board users can't create HTTP POST transmissions from within the forums. The vulnerability lies in the fact that the two sides of the hole are so closely related, whereas in a JavaScript enabled web page, it would be a form on ServerA posting to a form on ServerB. While it would still work, the user would have to somehow access the external page. Inline images force everyone who views the forum to access the "page", without them having to click on a link taking them to a remote server. This technique has more issues than just false authentication, though, and could possibly be used towards distributed DoS type attacks. Some forums have 50k+ users, and each user who viewed a certain thread could be accessing some resource intensive script on a remote server. If posted on several highly trafficed forums, the victimized server would go down in no time. -- WhiteCrown Networks - Web Application Security www.whitecrown.net - servicesat_private ______________________________ / Chris Lambert - cjlambertat_private |-> ICQ #: 16435685 - AIM: ClipperChris `-> Cell: (401) 743-2786 - http://sms.clambert.org/
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 11:33:06 PDT