UBB.Developers Forums UBB.classic V6.4 - 6.7 Modifications V6 Mod Ideas XSS is possible with UBB as well as others...

UBB is an excellent forum to use but I have a few pointers for Admins of forums...

1) Disable HTML posting.
2) Encrypt the password in the cookies.

I know you're probably saying, "Yeah, Ok, tell us something we DON'T know...", but I have just finished a project that uses the XSS exploit on a whole different level that even the browser patch can't stop.
It's in the form of a Flash app that can do this and do it well!
Disabling Javascript commands in posts won't even prevent the Flash app from doing it's thing!
You see, Flash can create and execute Javascript commands on-the-fly from within the app and all it takes is some clever scripting to grab the parent document's cookie and strip the person of their identity!
I have tried this app in other forums to great success, maybe pissed a few Admins off in the process, but I've always notified them of the exploit and how to prevent future attacks. I think I just scared the hell out of them...

I think one of the main pointers is to ENCRYPT the password in the cookie because even if some inexperienced "script kiddie" DID manage to get the cookie, he wouldn't know what to do with the encrypted password,... unless he had a good MD5 decrypter...because if I'm correct, isn't the password encrypted using MD5 process?

MD5 is not an encryption format, it is a message digest - you can not derive the original from the digest.

As of 6.4, passwords in cookies are MD5 encoded.

Today's (upcoming) 6.3.1.2 release and the later 6.4 beta also include enhanced filtering to avoid certain newly revealed XSS attacks that are only possible with HTML enabled.

If you have discovered what you believe to be XSS vulnerabilities, this is not the proper place to post. Please open up a support ticket or mail [email protected] with details.

I am now closing this topic.