TUCoPS :: Web BBS :: Frequently Exploited :: b06-2584.htm

UBBThreads 5.x,6.x md5 hash disclosure
UBBThreads 5.x,6.x md5 hash disclosure
UBBThreads 5.x,6.x md5 hash disclosure


UBBThreads 5.x,6.x md5 hash disclosure=0D
-------------------------------------------=0D
Using XSS such as the one reported earlier:=0D
=0D
http://[site]/[ubbpath]/index.php?debug=[xss]=0D 
=0D
will allow you to inject javascript and steal MD5 Hashes from:=0D
=0D
http://[site]/[ubbpath]/editbasic.php=0D 
=0D
The MD5 is automatically included in the source of the html for a logged on user, the field type is password so it appears as "******" - although the source contains the MD5.  Below is an example snippet of the html source:=0D
=0D
=0D
=0D

=0D

=0D
Verify Password=0D

=0D
=0D
=0D
=0D
A malicious attacker could force a user to perform a GET request to the xss containing js to steal their hash.  =0D
=0D
The below javascript would grab the MD5 using the XMLHttpRequest object.  str is defined as the ResponseText from XMLHttpRequest()=0D
=0D
function findmd5(str){=0D
	var s = str.indexOf('name="ChosenPassword" value="');=0D
	var e = str.indexOf('" class=f', s);=0D
	return str.substring(s+29, e);=0D
}=0D
-------------------------------------------------=0D
Discovered By: =0D
=0D
splices=0D
www.securident.com=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH