|
UBBThreads 5.x,6.x md5 hash disclosure=0D
-------------------------------------------=0D
Using XSS such as the one reported earlier:=0D
=0D
http://[site]/[ubbpath]/index.php?debug=[xss]=0D
=0D
will allow you to inject javascript and steal MD5 Hashes from:=0D
=0D
http://[site]/[ubbpath]/editbasic.php=0D
=0D
The MD5 is automatically included in the source of the html for a logged on user, the field type is password so it appears as "******" - although the source contains the MD5. Below is an example snippet of the html source:=0D
=0D
=0D
=0D
=0D
=0D
Verify Password=0D
=0D
=0D
=0D
=0D
A malicious attacker could force a user to perform a GET request to the xss containing js to steal their hash. =0D
=0D
The below javascript would grab the MD5 using the XMLHttpRequest object. str is defined as the ResponseText from XMLHttpRequest()=0D
=0D
function findmd5(str){=0D
var s = str.indexOf('name="ChosenPassword" value="');=0D
var e = str.indexOf('" class=f', s);=0D
return str.substring(s+29, e);=0D
}=0D
-------------------------------------------------=0D
Discovered By: =0D
=0D
splices=0D
www.securident.com=0D