SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ultimate Bulletin Board Vendors:   Infopop
Infopop's Ultimate Bulletin Board (UBB) Forum Software Filtering Bug Lets Remote Users Conduct Cross-Site Scripting Attacks Against Some UBB Users
SecurityTracker Alert ID:  1003994
SecurityTracker URL:  http://securitytracker.com/id/1003994
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 8 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in Infopop's Ultimate Bulletin Board (UBB) software. A remote user can conduct cross-site scripting attacks against some UBB users.

It is reported that Microsoft Internet Explorer (IE) will convert "(" or "&#40" to "(". A remote user can exploit this fact and the lack of proper filtering on UBB to submit posts to UBB that, when viewed by another user, will cause arbitrary code to be executed by the other user's IE browser.

Some demonstration exploit code is provided:

[url=null"onMouseDown="alert&#40document.c&#111okie);"]click[/url]

According to the report, many scripting events are not filtered, including onMouseDownm OnFocus, onMouseOut, and many many others.

This allows a remote user to write scripting that will be able to access the target (victim) user's cookies associated with the site running UBB.

Impact:   A remote user can conduct cross-site scripting attacks against UBB users that have the Microsoft Internet Explorer browser, stealing their cookies and other potentially sensitive information associated with the site running UBB.
Solution:   No solution was available at the time of this entry. However, the vendor is reportedly working on a fix.
Vendor URL:  www.infopop.com/products/ubb/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  UBB Vuln


well, i contacted infopop with this but they haven't fixed it yet..

the prob is that IE will convert "(" or "&#40" (without the semi-colon) 
to "("...

this allows you to do pretty much anything you like on any ubb (probably any 
bulletin board) you like..

the way i use it is:

[url=null"onMouseDown="alert&#40document.c&#111okie);"]click[/url]

the event onMouseDown isn't banned, neither is OnFocus, onMouseOut, and many 
many others that i haven' bothered looking up.

so you can steal the cookie, etc, etc, whatever you like.

So far infopop have just said they are fixing it yet infopop.com is STILL 
vulnerable at the time of writing this.

it doesn't however work on 6.2 in IMG TAGS, this is because any image with a 
" in it will be spaced out..

why they haven't done this in the URL tags is beyond me...,

and for fun and games you can play around with the "style='beep:blah';" all 
you like as well...

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC