I have discovered a major security hole in this site. When you upload files to the blog (image and html files) I am able to upload and host html files with javascript links. This hole is too lame to be called cross site scripting (XSS). It is really just a gaping hole. I can give you a proof of concept if you like.
I bet you a lifetime supply of supplements that I can get bodybuilding.com account holders to browse to a page hosted on your site and then use ajax methods to modify/delete their body stats without their knowledge.
Is anyone in charge of this mess? Seems like ever since this site came under new ownership (Liberty Media) there have been a never ending list of problems. Did you guys outsource your programmers to India to save money?
|
Closed Thread
Results 1 to 30 of 51
Thread: Major Security Hole Discovered
-
03-28-2008, 08:21 AM #1
Major Security Hole Discovered
-
03-28-2008, 08:23 AM #2
-
03-30-2008, 05:14 PM #3
-
03-30-2008, 08:46 PM #4
Dude I thought you were full of crap until I tested it out. This is real. I looked into this some more and found that the blog is vulnerable in the actual posts and pages as well. You can script on the blog posts and pages through the on-events in html elements such as onclick, onmouseover, etc.
Here is a simple non-malicious test:
http://blog.bodybuilding.com/smedley...3/30/text-xss/
This thread has been sitting open for several days and no response from bb.com . I love it.
-
-
03-30-2008, 09:05 PM #5
-
03-30-2008, 09:40 PM #6
Ok Mr. Colbert I found exactly what you are talking about.
So basically you go to the blog and create a new post. In that section you will see an upload dialog at the bottom of the screen.
Once you upload the file it is completely accessible and is located within the bodybuilding.com domain. Just copy the link location (as seen "Test" above).
Since the html file is located within the bodybuilding.com domain you can use ajax to submit/post forms to any page that accepts them on the site without the users knowledge.
For example you could force the user through the cart url via ajax and then capture their personal information in the response (if they are already logged in that is).
https://www.bodybuilding.com/cart/ca...&mode=checkout All with a simple mouseover wrapped around a picture of Jamie Eason. There is a million things that you could do.
For the love of god Bodybuilding.com fix this immediately.
-
03-30-2008, 10:02 PM #7
-
03-31-2008, 07:02 AM #8
Still no response from anyone at bodybuilding.com. I did you a favor pointing this out. As nasty as this is I expected a response within a couple of hours.
Call your Indian programmers and get this fixed. I was going to digg this post on http://digg.com just to get your attention but they have blacklisted this site for
guess what ......
wait for it ...........................
being a spam site.
Now where would they get that idea.
-
-
03-31-2008, 07:07 AM #9
I cannot believe they haven't replied or done anything about it. Thats just crazy with the amount of credit card numbers being pumped into this site daily.
I'll get this one, put it on my card
I get frequent flyer mileage
And a booklet of upgrades
So next time I visit the third world
I won't have to fly second class
Journal: currently doing westside for skinny bastards. http://forum.bodybuilding.com/showthread.php?t=4009573
-
03-31-2008, 08:27 AM #10
-
03-31-2008, 09:50 AM #11
-
03-31-2008, 09:55 AM #12
-
-
03-31-2008, 10:17 AM #13
-
03-31-2008, 10:20 AM #14
Holy Crap! I tried it myself.
http://blog.bodybuilding.com/skippy/2008/03/31/5414472/
Website Security 101: Prevent XSS!
This is just plain ridiculous! A few years ago a hacker exploited one of the sub forums that had html enabled (I think html is disabled on all the forums now).
He posted some javascript to steal and log the viewer's cookies. Once a moderator viewed the post the damage was done.
The hacker set his own cookies to match the cookies of the moderator and presto! he had just hijacked the moderator's account.
He went around creating threads and stickied them, then posted in the Moderator Forum (which is visible and accessible only to moderators/admins).
It was weird! He had complete access to the site - the same the the actual moderator did.
He would have had even more access had an admin viewed the post and he hijacked an admin's account.
Talk about a security hole!THE PITSBURGH STEELERS WERE THE BEST TEAM IN THE AFC BUT THE DENVER BRONCOS HAVE THE BEST LEFT HANDED QUARTERBACK.
Reps owed: Mitch1313
Negs owed: aboriginalLiftr (trolling mind=nuked thread: http://forum.bodybuilding.com/showthread.php?t=140649661)
-
03-31-2008, 10:22 AM #15
-
03-31-2008, 11:24 AM #16
Who allows unfiltered and unsanitized HTML in anything that goes to front-end. It's 2008, comeon now!
-
-
03-31-2008, 01:11 PM #17
-
03-31-2008, 02:54 PM #18Want to close your account? Please contact our Customer Service department (anytime 24/7!) - and they can assist you with that:
https://www.bodybuilding.com/help?bodyspace
-
03-31-2008, 03:52 PM #19
Due to the nature of cross site scripting there is no way to tell how many accounts were compromised. Doesn't that mean you assume that all accounts were compromised.
Here is a white paper on xss and its impact on business.
http://www.virtualforge.de/whitepape...ing_impact.pdf
I believe the phrase "compliance violation" comes into play here.
When and how will all the users be contacted? Should I be looking for a letter in the mail?
-
03-31-2008, 04:06 PM #20Want to close your account? Please contact our Customer Service department (anytime 24/7!) - and they can assist you with that:
https://www.bodybuilding.com/help?bodyspace
-
-
03-31-2008, 04:18 PM #21
gjdm, i was getting worried there for a minute. maybe you should hire somone to analyze security flaws make sure this doesnt happen again?
Misc Vigilante. Allegiance only to myself.
Owe to: CLP1 x 2; Heartless (spread) | Negs: ChefPete
Owed reps by:
BackThen; Leeroy Jenkins; AquaDouche; sibrek; masterjb (h4te no show)
Alex B. (Kansas vs UNC)
YeahImaBeast; Beast2Be; giggedyyy; Ominus; BillyDeanM
(Memphis vs Kansas)
-
03-31-2008, 04:58 PM #22
All joking aside, cross site scripting is no laughing matter.
I wonder how many accounts were compromised? There is no way of knowing -- just like with identity theft the victim is the last to find out.
The blog went live, what, a year and a half ago? So that security hole has been there all this time and it is only NOW that it got fixed?
Are you guys going to conduct a security audit to find out what other areas of Bodybuilding.com are vulnerable?
Are you going to alert the user base of this security breach? I personally have changed my password and would strongly suggest all members do the same.THE PITSBURGH STEELERS WERE THE BEST TEAM IN THE AFC BUT THE DENVER BRONCOS HAVE THE BEST LEFT HANDED QUARTERBACK.
Reps owed: Mitch1313
Negs owed: aboriginalLiftr (trolling mind=nuked thread: http://forum.bodybuilding.com/showthread.php?t=140649661)
-
03-31-2008, 06:14 PM #23
I think Pee-Wee Herman said it best.
"It's like you're unraveling a big cable-knit sweater that someone keeps knitting and knitting and knitting and knitting and knitting and knitting..."
-
03-31-2008, 06:31 PM #24
-
-
03-31-2008, 08:08 PM #25
Here is a thread with some of the fallout when a hacker used cross-site-scripting techniques to hijack some Bodybuilding.com accounts.
This was July 2006.
IntensityX hacking...
THE PITSBURGH STEELERS WERE THE BEST TEAM IN THE AFC BUT THE DENVER BRONCOS HAVE THE BEST LEFT HANDED QUARTERBACK.
Reps owed: Mitch1313
Negs owed: aboriginalLiftr (trolling mind=nuked thread: http://forum.bodybuilding.com/showthread.php?t=140649661)
-
03-31-2008, 10:20 PM #26
- Join Date: Oct 2006
- Location: United States
- Age: 41
- Posts: 3,003
- Rep Power: 2800
I really think this thread should be brought to more peoples attention, shouldnt something be stickied in each of the forums to get people to change their passwords or something?
www.bigunitbarbell.com
-
03-31-2008, 10:28 PM #27
-
03-31-2008, 10:36 PM #28
-
-
04-01-2008, 12:45 AM #29
- Join Date: Jun 2006
- Location: Victoria, AND Queensland, Australia
- Posts: 5,688
- Rep Power: 2710
Wow strong nerds n ****...
I rep back on the first date...
"Quitters never win, winners never quit, but those who never win AND never quit are idiots."
-
04-01-2008, 01:36 AM #30
OP banned? This looks like an inside job. Misc detectives.....
Bookmarks