Results 1 to 3 of 3

Thread: Question about CSS vuln

  1. #1
    Junior Member
    Join Date
    Feb 2002
    Posts
    4

    Question about CSS vuln

    In discussing a cross site scripting vulnerability with a friend of mine, he raised a point to me that I couldn't answer...I thought maybe someone here could enlighten me...

    To sum up the situation, there is a CSS vulnerability in post nuke (A bbs software package) that allows a person to create a link to a particular file on the hosting server that contains javascript...If a user then clicks on the link, the javascript would be activated as if it were on the site...In short, it would allow one to make a post with a script in it that would run on a user's computer if they clicked on it...

    My initial line of thought when I read this was that it would allow someone to retrieve another user's cookie, thereby allowing them to log on as another user (since post nuke uses cookies for authentication)....My friend, however, pointed out to me that it wouldn't be possible....There's no way to retrieve the cookie and store it in a static file is what he told me...

    I personally don't know much about javascript...So I don't know if he's right...But my question would have to be, is there a function in javascript that would allow one to retrieve another user's cookie and store it in a form that would be accessible later??? I don't need specifics (don't want anyone to think I'm trying to break into someone's forum) I just wanted to know if it were possible for the sake of argument...


    Caskethopper
    I hear the Crawling Chaos that calls beyond the stars

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Hmm..... As far as I know there isn't functionality in javascript that could do something like that. But there can be an ActiveX component that could be activated in Internet Explorer that could manipulate the filesystem and send the info to some other site. So I guess it's possible.... What I'm not ceratin of is if there is such an ActiveX shipped with IE or in the Microsoft OSs. Anyway, the AxtiveX security is pretty bad. I prefere Java applets.
    ---
    proactive

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    I'd test it out. But instead of trying to send the user information out through another method I would try to use the users own post to get the information. You could possibly grab the cookie information and when the post button is click append that cookie information to the end of the users post inside an html comment. Then all you have to do is view the source of the users next post and see if the cookie information is there. If this is possibly you should notify the person who runs the board....they need to be parsing that crap out.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •