In response to Scott Ashman's post about UBB.

After i discovered this bug last week i tried to contact infopop on 3
email adresses
from their contact page i finally managed to find one that didn't
bounce, but i haven't
recieved any response yet.

Anyway, Scott describes a way to retrieve other user's usernames and
passwords
by putting some javascript betweenthe image tags in a message, however
there is an
easier way and less noticable way to achieve this.

Atfer logging in 2 cookies are sent (cut from netscapes cookies.txt
file):
host FALSE / FALSE 1013870132 login2451956.1435
02-16-2001%2009%3A48%20AM&2451957.0948

host FALSE / FALSE 1045406132 ubber2451956.1435
alphaversion&<password>&AlphaVersion&45&00000036

The second cookie consists of 5 parts, the username, the password, the
name that
will be displayed when you post, a number of which i'm not sure what it
means and
the member number, padded with 0's.

It seems that the only part that actually gets checked is the member
number. So if
you send the saqme cookie, but with a different member number back (the
member
numbers can be found in the messages) you will be logged in as that
member. You
can then post messags, edit messages and do whatever else that
particular user can
do on the board. It seems membver number 1 is the administrator, so if
you edited
netscapes cookie file to make the cookie say this:

host FALSE / FALSE 1045406132 ubber2451956.1435
alphaversion&<password>&AlphaVersion&45&00000001

you'd be able to edit and delete the messages from all users. To make
matters worse
the board will replace the fake cookie with one that holds the info for
the user who's
member number you sent back. This includes the password.

This has been tested on Ultimate Bulletin Board 6.0, Beta 7.8.

AlphaVersion