UBB.Developers Forums General Discussion Chit Chat 6x ubbs can be hacked

so says my friend.. something about the profile. he says like he can take the copy of a profile or something...then change the imputs or something and hack into other profiles loggged on.. i'm not sure how.. if your curious reply with a request an i'll quote it.

Hmm .. I am aware of changing Publicly Displayed Name when it's turned off but that's about it. Are you able to get more info?

qasic

yes, share... there were some other problems in ealrier versions, but if you hear of more holes, we are all ears...

Ya man.. let us know more. I don't want my board to be hack.

If you know of any security risks, please email the admin team direct or drop an email to [email protected]

Just a thought

okay.. well lemme find the e-mail

and i QUOTE

START QUOTE

Yo.
Yeah so the idea is, in your cgi application that your
"edit profile" form uses, if any user is signed in to
their account, while they are signed in, someone has
an ability to completely change the person's profile
(ie: change password) except for the avatar icon, and
lock em out/take over the account.

All you need to know is that the user is logged in and
their u=id where id is their user id number (u in the
form name), which can be determined by the order the
people registered. just have to put the proper number
of trailing zero's in front (easy, look at an example
from your own mbs account in the hidden input type in
the source of the html form). the message board
displays this for any user by a post (ie: ender's the
fourth member, I'm the 14th registered, etc), but if
you wanted to, say change the first registrant, which
should always be an admin (you usually got a damn good
idea who =D), or a random one, and see of they're
online, still be bad enough. Don't know about fixing
the hole, but all you have to do to preform the attack
is fill in "valid" options that the user would fill in
to their form, and just add the right user id.... you
can change the pass, displayed name, all that, as long
as all the input types meant to be submitted in your
custom made form match what they would be in the
pregiven form, and a different correct user id is
given (and they're logged in). lala, I'd suggest, if
you got the power (the source, or know enough to code
your own and change the login form) is ask for an "old
password" field, and don't have the form make any
changes without it being properly supplied to the user
account. if not, you can inform uub and complain, I
suppose.

You could even set up a script to run and send change
requests, see if their info changes, and take down the
bot when it does. just keep sending the request until
you catch them logged in if ya don't want a fluke.
very vulnerable........

PS: I still can't make a custom avatar for me (boo
hoo)

Whoo, enough ranting out of me.

END QUOTE

Hmm .. I'll need to investigate but read this:

Hehe. Looks like my security modifications to Avatar Hack are doing their job (that's why he/she cannot create a custom avatar icon).

qasic

Oh yeah, Sushi Man, what version of UBB are you using? I'm pretty sure in UBB 6.04d there's a cookie verification routine that deals with this but I'm not too sure.

Thx.

qasic

6.04d: in ubb_profile.cgi, sub edit_profile, after the cookie test we have:which checks your cookie matches the profile you're trying to edit. It shouldn't be possible to edit someone elses profile.

Just a thought

i have 6.04b. but the person who bought the ubb for me and installed it is out of the coutry for 10 months! will any of you be as kind as to give mooah a copy? i dont know how to set up a ubb.. so i think i'll use his beyond compare everyone's been talking about.

I believe you :rolleyes:

that would be a direct violation of the license.

Just a thought

rrriiigghhhhtttt... isn't all that just a coincidence... :rolleyes:

You would do well to contact the person who "bought and set it up for you" to get your license number so you can download the bug-fixed one yourself...

what are the steps for setting up one??? It's not my ubb. i just work for the guy who owns the wesite.

all the instructions you'll need are at infopop.com and come in the zip file when you download the UBB.

This thread seems just about done

If you have any information regarding security issues in UBB6 then pass them on to us or the good folks at infopop.

Just a thought