|
In response to Scott Ashman's post about UBB. After i discovered this bug last week i tried to contact infopop on 3 email adresses from their contact page i finally managed to find one that didn't bounce, but i haven't recieved any response yet. Anyway, Scott describes a way to retrieve other user's usernames and passwords by putting some javascript betweenthe image tags in a message, however there is an easier way and less noticable way to achieve this. Atfer logging in 2 cookies are sent (cut from netscapes cookies.txt file): host FALSE / FALSE 1013870132 login2451956.1435 02-16-2001%2009%3A48%20AM&2451957.0948 host FALSE / FALSE 1045406132 ubber2451956.1435 alphaversion&<password>&AlphaVersion&45&00000036 The second cookie consists of 5 parts, the username, the password, the name that will be displayed when you post, a number of which i'm not sure what it means and the member number, padded with 0's. It seems that the only part that actually gets checked is the member number. So if you send the saqme cookie, but with a different member number back (the member numbers can be found in the messages) you will be logged in as that member. You can then post messags, edit messages and do whatever else that particular user can do on the board. It seems membver number 1 is the administrator, so if you edited netscapes cookie file to make the cookie say this: host FALSE / FALSE 1045406132 ubber2451956.1435 alphaversion&<password>&AlphaVersion&45&00000001 you'd be able to edit and delete the messages from all users. To make matters worse the board will replace the fake cookie with one that holds the info for the user who's member number you sent back. This includes the password. This has been tested on Ultimate Bulletin Board 6.0, Beta 7.8. AlphaVersion