Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: Frequently Exploited :: ubb5.txt

Ultimate Bulletin Board - easier way to retrieve user names & passwords

In response to Scott Ashman's post about UBB.

After i discovered this bug last week i tried to contact infopop on 3
email adresses
from their contact page i finally managed to find one that didn't
bounce, but i haven't
recieved any response yet.

Anyway, Scott describes a way to retrieve other user's usernames and
by putting some javascript betweenthe image tags in a message, however
there is an
easier way and less noticable way to achieve this.

Atfer logging in 2 cookies are sent (cut from netscapes cookies.txt
host FALSE / FALSE 1013870132 login2451956.1435

host FALSE / FALSE 1045406132 ubber2451956.1435

The second cookie consists of 5 parts, the username, the password, the
name that
will be displayed when you post, a number of which i'm not sure what it
means and
the member number, padded with 0's.

It seems that the only part that actually gets checked is the member
number. So if
you send the saqme cookie, but with a different member number back (the
numbers can be found in the messages) you will be logged in as that
member. You
can then post messags, edit messages and do whatever else that
particular user can
do on the board. It seems membver number 1 is the administrator, so if
you edited
netscapes cookie file to make the cookie say this:

host FALSE / FALSE 1045406132 ubber2451956.1435

you'd be able to edit and delete the messages from all users. To make
matters worse
the board will replace the fake cookie with one that holds the info for
the user who's
member number you sent back. This includes the password.

This has been tested on Ultimate Bulletin Board 6.0, Beta 7.8.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH