Re: CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]

[Andrew Clover <and () doxdesk com>]

"Obscure" <obscure () eyeonsecurity net> wrote:

> In fact UBB now filters keywords such as javascript and cookie.
> To circumvent this filtering, I made use of html encoding techniques.

This demonstrates the extreme weakness of the filtering approach. Filtering
known-bad constructs usually fails. Including a parser that allows only
known-good markup fares better, but is hard.

I have not tested the latest updates, but here are some more approaches
to script injection that were allowed through on a UBB forum I frequent:

  <body onload="alert()">

  <link rel="stylesheet" href="jav&#97script&#58;alert&#40;)">

  <p style="width: expression&#40;alert&#40;))">

(works on IE thanks to dynamic properties, executes immediately.)

  <img src="vbscript:alert">

(javascript: is not the only potentially harmful kind of URL)

  <a href="about&#58;&lt;s&#99;ript&gt;alert&#40;)">

(another one for IE)

  <a href=&{location='stealcookie.cgi?'};>

(one for Netscape 4, so it doesn't feel left out.)

All the above can be made to steal cookies - filtering the string
"document.cookie" does no good whatsoever since one can just as well do
"document['coo'+'kie']". I'm sure there are many more holes I missed.

Ever since Netscape's idiotic invention of 'javascript:' URLs, browser
manufacturers have been adding more and more stupid ways to embed scripting
content in HTML. This makes it practically impossible to write a forum that
allows markup without including a proper HTML parser with very restrictive
rules.

This doesn't just affect forum systems, but any web site that allows the
user to input markup. Look at all the Hotmail holes we've had, for
example. Add user-markup features to your web sites with extreme caution!

-- 
Andrew Clover
mailto:and () doxdesk com
http://and.doxdesk.com/