Sign in to follow this  
Followers 0
Angel

Profile Hacking

12 posts in this topic

spoiler1337yearsofagejv3.png

Q:Is this really general hacking?

A:Of course! But feel free to move this if you think otherwise, mods.

Q:So you edited your profile to say you were 'leet'? Isn't that kind of sophomoric?

A:Yar, probably. But I couldn't think of any better number off the top of my head, and "666" seemed dumb.

Q:Ok, so I assume there's a flaw in the website?

A:Well, many; nothing is a hundred percent secure. Stank and crew do a good job of locking things down, this isn't like a dig at the staff or nothin'.

Q:Would you like to tell us?

A:Sure thing! I'll give you a hint and then put the actual code in spoiler tags so you guys can script-kiddy out your own profiles. The hint is: what user input does the forum take to calculate your age?

If you guessed "your birthday, which is secured by dropdownlist boxen", you are our winner. A lot of coders assume that if they put data into a dropdownlist, they don't need to sense-check it, since the server is writing the list. But it doesn't take much more than a couple of lines of javascript to add a new, unexpected option to the form:

var objOption = document.createElement("OPTION");

document.getElementById('pp_b_year').options.add(objOption);

objOption.innerText='1337';

objOption.value='670';

alert('done');

The moral of the story is - validate all user input.

Otherwise, uh ... people will add silly things to their profiles, I guess. O_o;;

As an aside - I'm attaching the image above to this post since as it's hosted at Images Hack dot us it will, in time, wither and die, confusing future graverobbers who may then attempt to ressurect this thread with dumb questions.

Have phun,

-ArchAngel

post-36-1194924182.png

0

Share this post


Link to post
Share on other sites

An easier way would be just to modify the headers if you have TamperData installed in Firefox. But yeah, good find.

Edited by Spyril
0

Share this post


Link to post
Share on other sites

nice find...and invision needs to be made aware of this as well so that they can issue a patch.

0

Share this post


Link to post
Share on other sites
nice find...and invision needs to be made aware of this as well so that they can issue a patch.

*shrugz* I suppose. You seem to believe more in corporations than I do, my friend. ^_-.

I sent a message in via script-injecting their "Report Piracy" form, and e-mailed the technical contact listed in their WHOIS:

Date: Mon, 12 Nov 2007 20:25:45 -0900

From: ArchAngel <(Redacted)@gmail.com>

To: dnsadmin@invisionpower.com

Subject: Invision Board Bug

MIME-Version: 1.0

Content-Type: multipart/alternative;

Content-Type: text/plain; charset=ISO-8859-1

Content-Transfer-Encoding: 7bit

Content-Disposition: inline

Just thought you may want to address a flaw in your software.

Incidentally, the same flaw can be used on your piracy reporting form to add

new options under "Piracy" - the thread linked below has the relevant code.

Effectively, your coders aren't appropriately validating the values sent in

by dropdownlists - which lets script-savvy users add their own values and

pass them to the server, where code evaluates them and executes

appropriately. With an age change, not so serious a problem, but you

probably want to remove single quotes, html, and the like just to be safe.

Here's the site link describing the bug in some detail:

http://www.binrev.com/forums/index.php?showtopic=34727

Love,

-ArchAngel

We'll see if they respond.

-ArchAngel

(edit:reworded slightly before sending)

Edited by Angel
0

Share this post


Link to post
Share on other sites
[...]but you

probably want to remove single quotes, html, and the like just to be safe.[..]

Interesting, depending on what is being done with the input that could pose quite a problem I guess...

0

Share this post


Link to post
Share on other sites

Thanks angel...I think that is the right thing to do.

We have to give invision a chance before we judge them as a big evil "corporation". Maybe they will surprise you.

0

Share this post


Link to post
Share on other sites

I managed to get it to popup a error saying something like invalid input but other then that..

location string is huge too

Edited by operat0r
0

Share this post


Link to post
Share on other sites

Lol, I only used this on profile sites or cam sites like stickam, never thought to change it on forums.

TamperData ftw.

0

Share this post


Link to post
Share on other sites

Thanks angel...I think that is the right thing to do.

We have to give invision a chance before we judge them as a big evil "corporation". Maybe they will surprise you.

Not to bring this old thread back from the grave, but I thought it funny that this flaw still exists in the current IP Board software -- as hinted at four years ago, this vulnerability effects client-side controls used across the software suite, and as such it allows behaviour a little more serious than things like making your age a cool number ... not sure what that says about giving big 'evil' corporations a chance. ^_-.

-ArchAngel

0

Share this post


Link to post
Share on other sites

Thanks angel...I think that is the right thing to do.

We have to give invision a chance before we judge them as a big evil "corporation". Maybe they will surprise you.

Not to bring this old thread back from the grave, but I thought it funny that this flaw still exists in the current IP Board software -- as hinted at four years ago, this vulnerability effects client-side controls used across the software suite, and as such it allows behaviour a little more serious than things like making your age a cool number ... not sure what that says about giving big 'evil' corporations a chance. ^_-.

-ArchAngel

Did anyone ever report it to them? :o lol

And no, I don't trust big corporations either, but at the same time you have to give everyone a chance to prove themselves. If you never give them a chance, then you are just as much at fault as they are. I also don't think that invision software is a big corporation by any means.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0