bobince
join:2002-04-19
DE
| reply to Sarick
Re: DSLreports Clicking a link in forums?
OK, here's the deal.
JavaScript (or any other web scripting language, eg. VBSCript) is potentially dangerous. A script on a page can display your cookies, send your cookies to another server, pop up a window containing porn, make you post a message to the forums automatically... and so on.
For most sites this is not an issue because a script could only get onto the page by the site's author putting it there. Naturally DSLReports has no need to steal DSLReports's own cookies, and no inclination to harrass us with pop-ups.
However, DSLReports, by operating this forum, is allowing us to add our own content to their web pages. For this reason the material we are allowed to post in a comment is limited. I can't just include a <script> tag and expect the script I put inside it to execute on everyone's machines, because that sort of thing is filtered out automatically.
The problem is that in practice it is actually rather tricky to filter out all code that could be used to 'inject' scripting content into a page. Most web forum software does not do it right at all.
One way to inject script into a page is by using a javascript: link:
<A HREF="javascript:alert();">innocent-looking-link</A>
If you try pasting that into a DSLR comment, you will get a link that opens a JS alert when you click on it.
<IMG SRC="javascript:alert()">
If you try pasting that into a DSLR comment, you will get a broken image, but the process of loading it will cause most browsers to execute the script, opening the alert again.
Judging by preview mode, the forum software used by DSLR *is* vulnerable to both these attacks. There are a couple of dozen other sneaky techniques for getting scripting content into documents that are supposed to be free of it too.
Of course opening an alert isn't very interesting in itself, but once you're in script like that, you can do anything a script on the site - the typical example is read the user's cookies and send them off to the attacker's server, where they will be used to hack accounts.
DSLR does not actually include the passwords in the cookies, and doesn't allow the password to be changed without the old password being entered, so this wouldn't give an attacker the ability to steal accounts wholesale, but it *would* allow them to post as the victim, change the victim's details, etc. And if the victim is a site administrator everything is up for grabs.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| said by bobince  :
DSLR does not actually include the passwords in the cookies, and doesn't allow the password to be changed without the old password being entered, so this wouldn't give an attacker the ability to steal accounts wholesale, but it *would* allow them to post as the victim, change the victim's details, etc. And if the victim is a site administrator everything is up for grabs.
Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post..
--
Life is too short to be boring |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
|  reply to Reverend Ike
said by Reverend Ike :
Perhaps you should create a "special" Hpguru Hosts file for them.
4,294,967,295 entries ... 
LOL! Nah I'd never get any else done. How about a Proxo filter that modifies all "A" tags such that when clicked they pop-up a little confirm box asking
"Are you sure? It could be dangerous you know."
If they click "Ok" an alert box pops up stating
"YOU HAVE BEEN WARNED!!"
If they click "Cancel" they get an alert stating
"You have made the right choice, but to be on the safe side you should still format your hard disk and reinstall Windows ASAP. Have a nice day!".
--
"My country, right or wrong," is a thing that no patriot would think of saying except in a desperate case. It is like saying, "My mother, drunk or sober." - G.K.Chesterton |
|
bobince
join:2002-04-19
DE
| reply to nil
Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post.. Well, I am currently posting from a completely different browser, which I authorised by copying document.cookie from the original browser (as if hijacked from JavaScript). So I don't see any security measures that are stopping me from authorising myself as someone else.
And even if this weren't possible, an attacker could stick script an automatic make-a-post or do-an-admin-action attack, through cross-frame scripting.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ |
|
nil
Java Geek
join:2000-11-27 | and you didn't have to re-enter your password? Plus it was from the same IP..
--
Life is too short to be boring |
|
Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth
 ·Comcast Formerly ..
| reply to Sarick
said by Sarick :
Could clicking a link in DSLreports allow someone to steal your DSLreports password or cookie to get your email?
I've been told that is a security flaw by an admin of a very populer site. CjayC Gamefaqs.com
Anyone?
Wait til dad gets home...I'm tellin'.....
--
"De Oppresso Liber" (We Liberate (Free) the Oppressed) Computer Cops Security Professionals, Site Administrator |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA | reply to Sarick
So In your best judgement DSLreports does have a security valneriblity.
It seems a few people who are on this thread thought that this flaw was urben legends. |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA | reply to Phoenix22
My dad passed away about 20 years ago. |
|
bobince
join:2002-04-19
DE
| reply to nil
and you didn't have to re-enter your password? That is correct.
Plus it was from the same IP.. True, but I'd be surprised if the software requires the IP address to stay constant for one user, as that would completely break the site for eg. AOL users, whose apparent IP address can change on every request.
Even if cookie-stealing didn't give access to accounts (and it's actually very tricky to arrange something like that), just allowing JavaScript through from user-submitted content is enough to compromise the security of the board. It is this that is the real problem.
Filtering JavaScript out completely is not a trivial task, and most forum software is vulnerable to JS injection (cross-site-scripting, XSS) one way or another - search Bugtraq for a large yet incomplete list of known forum vulnerabilities. The software DSLR is using seems to fall to at least one method of JS injection (namely javascript: pseudo-URIs) that is extremely simple and well-known, though.
Or at least I assume so - such exploits make it through the preview; I haven't tried posting them to a live thread. I can try if you like, hope you don't mind the alert() boxes. 
(Incidentally, javascript: URIs are one of the worst ever ideas, and have caused endless security holes in web browsers and sites alike, whilst offering zero actual new utility to web authors. Whichever clever-trousers @netscape came up with them desperately needs a kick to the face!)
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/ |
|
nil
Java Geek
join:2000-11-27 | I do believe it gets stripped out on posting.. it may show up in preview.. but go ahead.. give it a try..
--
Life is too short to be boring |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Alrighty:
Admin: Feel free to edit this post once the concept is proven.
[text was edited by author 2003-07-21 16:37:19]
[Edit: okay, we need to work on that i guess  - nil ]
[text was edited by moderator] |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA |  reply to Sarick
Hay, I didn't get to see it.
What happene, It seems you've proven that there is a security risk with the links. Unless you faked that moderater edit. |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
 ·FrontierNet Intern..
|  reply to bobince
said by bobince :
Wrong.. What I posted before is true.. having the cookie is not enough to hijack an account to even make a post.. Well, I am currently posting from a completely different browser, which I authorised by copying document.cookie from the original browser (as if hijacked from JavaScript). So I don't see any security measures that are stopping me from authorising myself as someone else.
And even if this weren't possible, an attacker could stick script an automatic make-a-post or do-an-admin-action attack, through cross-frame scripting.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/
I see what your saying. If your cookie is uploaded to another site then installed over on to another computer the users account is hijacked. Well that's simple enough.
Placing a JS link that uploads the file to another site even DSLreports could exploited.
The same "code" that allows us to upload our own images could be used as sorta a storage point to hijack the cookie?
Then the person wanting to hijack would simply retrieve that file and install it on their system. They technicaly take over the members account. From there they could post messages, steal non-public e-mail info, access tool points and other member data.
Yes I see what your saying now. Even if the cookie is encrypted it could be used on another computer. Purhaps limiting the encription to an IP range might make it less exploitible. That way if your IP changes to another service provider it'll requare you to relog completely.
That will disable the cookie by currupting it vs the current IP.
[text was edited by author 2003-07-22 06:09:41] |
|
lysw1
join:2003-05-19
Jeffersonville, IN | reply to Sarick
Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com? |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
·FrontierNet Intern..
| said by lysw1 :
Thank goodness for SurfinGuardPro. What's with all the ActiveX controls at www.doxdesk.com?
All this software for security. Seems like active X should be X'ed |
|
lysw1
join:2003-05-19
Jeffersonville, IN | reply to Sarick
Yeah, except that some sites require it. (www.live365.com) |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| reply to Sarick
said by Sarick :
All this software for security. Seems like active X should be X'ed
It is on my system. I only add something to my Trusted sites if I absolutely trust it and have to run activeX. Otherwise, it is totally x'd on my box.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH | Did he say "X Box"? |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to Sarick
said by Sarick :
Hay, I didn't get to see it.
What happene, It seems you've proven that there is a security risk with the links. Unless you faked that moderater edit.
Putting script for a Javascript 'Alert' function worked when put in a URL, and when put in the SRC of an IMG tag. When put in the IMG tag, it caused the Alert to come up immediately on loading the page.
However, I'm still not convinced that this amounts to a security problem here, as I do not believe that Javascript would be given access to grab a file from the system (cookies), and then pass that information on to a website.. I dunno. |
|
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
·FrontierNet Intern..
| reply to Sarick
Scary stuff. Them tool points are hard to get. LOL
Actuialy I think it's a bigger security risk with the cookies now.
DSLreports has a security problem with the cookies. Yea some peoples connections would bust so best solution would be multiple configs. That way people don't have it turned on if it conflicts.
Links however can prove to be nasty. I've tried to set IE to block active X it kills the browser! Then again that might be different not that PCCillin is GONE. I found a glitch in it's active X webblocking TMproxy that has been confermed.
I noticed a file in my desktop the other day that had address book main user identity list in it file named ~
I don't use outlook and adress book so that axtive x must have let something in past spyware guard.
Microshaft Please fix your browser.. |
|
