RE: www.proboards.com / YaBB XSS Vuln

["GulfTech Security" <security@xxxxxxxxxxxx>]

Do ProBoards use YaBB, or did they just mod the YaBB code to be their own?
Either way having a look at this

http://www.securityfocus.com/bid/5078/exploit/

Kinda leads me to believe that more vulns exist in ProBoards that have been
addressed in YaBB? (as the invalid topic xss in YaBB is kinda old)

While we are on the topic of YaBB though, here are a few vulns in YaBB that
I never really made public until now. I don't think anyone else has reported
them yet anyway.

http://host/YaBB.pl?board=;action=imsend;to=%22%3E%3Cscript%3Ealert(document
.cookie)%3C/script%3E

This is XSS in all versions I believe, and am sure at least up to YaBB 1
Gold - SP 1.3.1

Another issue with YaBB is it is full of CSRF holes which leads to forced
command execution. This allows an attacker to do things like delete peoples
inbox's, delete posts, pin topics, lock topics, and much much more. I think
out of all the CSRF holes in YaBB the worst is probably this.

http://host/YaBB.pl?board=;action=modifycat;id=CATEGORYNAMEHERE;moda=Remove2

Put that in an image tag and you can kill a board as soon as an admin views
your post or PM's as this will delete entire categories and everything in
it.

But yeah man, if ProBoards are using the YaBB codebase they should
definitely implement some strict session auth or something as it is one of
the most insecure message board apps I can think of.

James


-----Original Message-----
From: admin@xxxxxxxxxxxxx [mailto:admin@xxxxxxxxxxxxx] 
Sent: Wednesday, September 15, 2004 6:13 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: www.proboards.com / YaBB XSS Vuln



A Cross Site scripting vulnerability exists currently for all boards of the
ever popular www.proboards.com which has code based off of the popular YaBB
Forums.

This can result in an attacker stealing users Cookie Information and
possible defacing/hijacking of the message board and its users accounts on
the message board.