Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: b06-2584.htm

UBBThreads 5.x,6.x md5 hash disclosure



UBBThreads 5.x,6.x md5 hash disclosure
UBBThreads 5.x,6.x md5 hash disclosure



UBBThreads 5.x,6.x md5 hash disclosure=0D
-------------------------------------------=0D
Using XSS such as the one reported earlier:=0D
=0D
http://[site]/[ubbpath]/index.php?debug=[xss]=0D 
=0D
will allow you to inject javascript and steal MD5 Hashes from:=0D
=0D
http://[site]/[ubbpath]/editbasic.php=0D 
=0D
The MD5 is automatically included in the source of the html for a logged on user, the field type is password so it appears as "******" - although the source contains the MD5.  Below is an example snippet of the html source:=0D
=0D
=0D
=0D

=0D
=0D Verify Password=0D
=0D =0D =0D =0D A malicious attacker could force a user to perform a GET request to the xss containing js to steal their hash. =0D =0D The below javascript would grab the MD5 using the XMLHttpRequest object. str is defined as the ResponseText from XMLHttpRequest()=0D =0D function findmd5(str){=0D var s = str.indexOf('name="ChosenPassword" value="');=0D var e = str.indexOf('" class=f', s);=0D return str.substring(s+29, e);=0D }=0D -------------------------------------------------=0D Discovered By: =0D =0D splices=0D www.securident.com=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH