Yves
(Administrator)
Show profile
Link to this post
Subject: Security problem with version 1.5.3
[Deutsche Version folgt.]
Hello everybody.
Bad news today... I was just pointed to a security tracker website that told me about a cross-site scripting problem with the UNB 1.5.3. First I couldn't track it down because the error wasn't reproducible on this and my other productive board. Then I found out that these are not 1.5.3 release but the devel version from the same day. Anyway, somehow a mysterious bug has managed to remain undiscovered for quite a while now. It allows you to inject arbitrary HTML code in thread descriptions which itself isn't a big problem but allows {h,cr}ackers to steal your cookies for the forum you're visiting.
The problem exists in the public.lib.php, function ShowPath(), where the description is not HTML-encoded correctly as it should be. This seems to be the only difference between the release and devel version, both from the same day. The bug is only exploitable by creating a new topic somewhere on the board. If you don't allow guest posting, the user needs to be logged in. Also you'll find a new thread of it. If you have enabled notification of new threads, you'll see the malicious HTML code in the notification message in plaintext, if present.
As an immediate solution for admins, please apply the given patch. Users that are worried about their login data should either disable cookies for this domain (the board will work without them, only no auto-login is available then but you can let your browser do it) or disable JavaScript for the forum (the BBCode buttons won't work then anymore, but the board itself will continue functioning).
The download versions have just been updated. There's also a patch available there that fixes this bug only. Go here for the downloads. The lite version is no longer available for download until version 1.6.
I'm sorry for this issue, I'll continue trying to track down why this could happen. Let's see what UNB's version check can do now to notify most board admins.
How I hate those evil people telling stuff like this other people and not even me. Please don't kill me for this, it's only the third security issue in 2,5 years, of which two have become public. Just compare this with other software you can find. 
Hello everybody.
Bad news today... I was just pointed to a security tracker website that told me about a cross-site scripting problem with the UNB 1.5.3. First I couldn't track it down because the error wasn't reproducible on this and my other productive board. Then I found out that these are not 1.5.3 release but the devel version from the same day. Anyway, somehow a mysterious bug has managed to remain undiscovered for quite a while now. It allows you to inject arbitrary HTML code in thread descriptions which itself isn't a big problem but allows {h,cr}ackers to steal your cookies for the forum you're visiting.
The problem exists in the public.lib.php, function ShowPath(), where the description is not HTML-encoded correctly as it should be. This seems to be the only difference between the release and devel version, both from the same day. The bug is only exploitable by creating a new topic somewhere on the board. If you don't allow guest posting, the user needs to be logged in. Also you'll find a new thread of it. If you have enabled notification of new threads, you'll see the malicious HTML code in the notification message in plaintext, if present.
As an immediate solution for admins, please apply the given patch. Users that are worried about their login data should either disable cookies for this domain (the board will work without them, only no auto-login is available then but you can let your browser do it) or disable JavaScript for the forum (the BBCode buttons won't work then anymore, but the board itself will continue functioning).
The download versions have just been updated. There's also a patch available there that fixes this bug only. Go here for the downloads. The lite version is no longer available for download until version 1.6.
I'm sorry for this issue, I'll continue trying to track down why this could happen. Let's see what UNB's version check can do now to notify most board admins.
How I hate those evil people telling stuff like this other people and not even me. Please don't kill me for this, it's only the third security issue in 2,5 years, of which two have become public. Just compare this with other software you can find.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
.
update_unb-1.5.3-a.7z 23.6 kBytes
)
This post was edited on 2005-09-18, 22:42 by