hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Sep 17 2004, 04:53 AM
QUOTE


A Cross Site scripting vulnerability exists currently for all boards of the ever popular www.proboards.com which has code based off of the popular YaBB Forums.

This can result in an attacker stealing users Cookie Information and possible defacing/hijacking of the message board and its users accounts on the message board.

The following code can be used to execute this XSS vuln:

http://WEBSITE/index.cgi?board=[BOARDNAME]&action=display&num=[VALID TOPIC NUMBER]&"><script>alert(document.cookie);</script>

Be Cautious of suspicous looking links.

##################################
# -LJ Lemke leetflash_at_yahoo.com #
##################################

JeiAr
Sep 17 2004, 12:48 PM
I posted a follow up to this where I disclosed some vulns in YaBB that AFAIK have never been released. Found em a long while ago but never got around to a write up etc. Anyway, I will post them here if they are not on BugTraq by Monday smile.gif
JeiAr
Sep 17 2004, 11:53 PM
Here ya go smile.gif

QUOTE



-----Original Message-----
From: GulfTech Security [mailto:security@gulftech.org]
Sent: Thursday, September 16, 2004 4:11 PM
To: bugtraq@securityfocus.com
Subject: RE: www.proboards.com / YaBB XSS Vuln

Do ProBoards use YaBB, or did they just mod the YaBB code to be their own?
Either way having a look at this

http://www.securityfocus.com/bid/5078/exploit/

Kinda leads me to believe that more vulns exist in ProBoards that have been
addressed in YaBB? (as the invalid topic xss in YaBB is kinda old)

While we are on the topic of YaBB though, here are a few vulns in YaBB that
I never really made public until now. I don't think anyone else has reported
them yet anyway.

http://host/YaBB.pl?board=;action=imsend;t...Ealert(document
.cookie)%3C/script%3E

This is XSS in all versions I believe, and am sure at least up to YaBB 1
Gold - SP 1.3.1

Another issue with YaBB is it is full of CSRF holes which leads to forced
command execution. This allows an attacker to do things like delete peoples
inbox's, delete posts, pin topics, lock topics, and much much more. I think
out of all the CSRF holes in YaBB the worst is probably this.

http://host/YaBB.pl?board=;action=modifyca...RE;moda=Remove2

Put that in an image tag and you can kill a board as soon as an admin views
your post or PM's as this will delete entire categories and everything in
it.

But yeah man, if ProBoards are using the YaBB codebase they should
definitely implement some strict session auth or something as it is one of
the most insecure message board apps I can think of.

James


-----Original Message-----
From: admin@leetflash.com [mailto:admin@leetflash.com]
Sent: Wednesday, September 15, 2004 6:13 PM
To: bugtraq@securityfocus.com
Subject: www.proboards.com / YaBB XSS Vuln



A Cross Site scripting vulnerability exists currently for all boards of the
ever popular www.proboards.com which has code based off of the popular YaBB
Forums.

This can result in an attacker stealing users Cookie Information and
possible defacing/hijacking of the message board and its users accounts on
the message board.


qcred11
Sep 18 2004, 12:59 AM
Very nice. Thanks m8.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.