Major Security Hole Discovered

[stephencolbert]

I have discovered a major security hole in this site. When you upload files to the blog (image and html files) I am able to upload and host html files with javascript links. This hole is too lame to be called cross site scripting (XSS). It is really just a gaping hole. I can give you a proof of concept if you like.

I bet you a lifetime supply of supplements that I can get bodybuilding.com account holders to browse to a page hosted on your site and then use ajax methods to modify/delete their body stats without their knowledge.

Is anyone in charge of this mess? Seems like ever since this site came under new ownership (Liberty Media) there have been a never ending list of problems. Did you guys outsource your programmers to India to save money?

[mikecart1]

I have discovered a major security hole in this site. When you upload files to the blog (image and html files) I am able to upload and host html files with javascript links. This hole is too lame to be called cross site scripting (XSS). It is really just a gaping hole. I can give you a proof of concept if you like.

I bet you a lifetime supply of supplements that I can get bodybuilding.com account holders to browse to a page hosted on your site and then use ajax methods to modify/delete their body stats without their knowledge.

Is anyone in charge of this mess? Seems like ever since this site came under new ownership (Liberty Media) there have been a never ending list of problems. Did you guys outsource your programmers to India to save money?

Also, the workout tracking doesn't work. Along with:

-visitor page views
-updates to stats don't show up on the forum
-major lag

[Diab0lic]

Bump?

[smedleybutler]

Dude I thought you were full of crap until I tested it out. This is real. I looked into this some more and found that the blog is vulnerable in the actual posts and pages as well. You can script on the blog posts and pages through the on-events in html elements such as onclick, onmouseover, etc.

Here is a simple non-malicious test:
http://blog.bodybuilding.com/smedley...3/30/text-xss/

This thread has been sitting open for several days and no response from bb.com . I love it.

[Sounds Good]

intriguing

[smedleybutler]

Ok Mr. Colbert I found exactly what you are talking about.

So basically you go to the blog and create a new post. In that section you will see an upload dialog at the bottom of the screen.


Once you upload the file it is completely accessible and is located within the bodybuilding.com domain. Just copy the link location (as seen "Test" above).

Since the html file is located within the bodybuilding.com domain you can use ajax to submit/post forms to any page that accepts them on the site without the users knowledge.

For example you could force the user through the cart url via ajax and then capture their personal information in the response (if they are already logged in that is).
https://www.bodybuilding.com/cart/ca...&mode=checkout All with a simple mouseover wrapped around a picture of Jamie Eason. There is a million things that you could do.

For the love of god Bodybuilding.com fix this immediately.

[Sounds Good]

Ok Mr. Colbert I found exactly what you are talking about.

So basically you go to the blog and create a new post. In that section you will see an upload dialog at the bottom of the screen.


Once you upload the file it is completely accessible and is located within the bodybuilding.com domain. Just copy the link location (as seen "Test" above).

Since the html file is located within the bodybuilding.com domain you can use ajax to submit/post forms to any page that accepts them on the site without the users knowledge.

For example you could force the user through the cart url via ajax and then capture their personal information in the response (if they are already logged in that is).
https://www.bodybuilding.com/cart/ca...&mode=checkout All with a simple mouseover wrapped around a picture of Jamie Eason. There is a million things that you could do.

For the love of god Bodybuilding.com fix this immediately.

x2, im not ordering anything until this **** is fixed

[stephencolbert]

Still no response from anyone at bodybuilding.com. I did you a favor pointing this out. As nasty as this is I expected a response within a couple of hours.

Call your Indian programmers and get this fixed. I was going to digg this post on http://digg.com just to get your attention but they have blacklisted this site for

guess what ......

wait for it ...........................






being a spam site.

Now where would they get that idea.

[outbreak]

I cannot believe they haven't replied or done anything about it. Thats just crazy with the amount of credit card numbers being pumped into this site daily.

[gill998]

Dude I thought you were full of crap until I tested it out. This is real. I looked into this some more and found that the blog is vulnerable in the actual posts and pages as well. You can script on the blog posts and pages through the on-events in html elements such as onclick, onmouseover, etc.

Here is a simple non-malicious test:
http://blog.bodybuilding.com/smedley...3/30/text-xss/

This thread has been sitting open for several days and no response from bb.com . I love it.

Wow, thats impressive. Why hasnt anyone done anything about it?

Bumped so more people can see this.

[Sounds Good]

Wow, thats impressive. Why hasnt anyone done anything about it?

Bumped so more people can see this.

now he's banned. sweet!

[smedleybutler]

No Good Deed Goes Unpunished.

[damnglass]

No Good Deed Goes Unpunished.

yeah,not like he could have used pms to notify people who can notify the mods,spreading even on a forum rarely used is still ****ing dumb.sucks he didnt do it the right way,smart to figure that out,once again common sence<intelligence

[skippy]

Holy Crap! I tried it myself.

http://blog.bodybuilding.com/skippy/2008/03/31/5414472/

Website Security 101: Prevent XSS!

This is just plain ridiculous! A few years ago a hacker exploited one of the sub forums that had html enabled (I think html is disabled on all the forums now).

He posted some javascript to steal and log the viewer's cookies. Once a moderator viewed the post the damage was done.

The hacker set his own cookies to match the cookies of the moderator and presto! he had just hijacked the moderator's account.

He went around creating threads and stickied them, then posted in the Moderator Forum (which is visible and accessible only to moderators/admins).

It was weird! He had complete access to the site - the same the the actual moderator did.

He would have had even more access had an admin viewed the post and he hijacked an admin's account.

Talk about a security hole!

[smedleybutler]

yeah,not like he could have used pms to notify people who can notify the mods,spreading even on a forum rarely used is still ****ing dumb.sucks he didnt do it the right way,smart to figure that out,once again common sence<intelligence

You spelled sense wrong. Sorry dude I couldn't help myself

[struck]

Who allows unfiltered and unsanitized HTML in anything that goes to front-end. It's 2008, comeon now!

[gill998]

now he's banned. sweet!

I think it was for the fake avi.

[BodySpaceAdmin]

Who allows unfiltered and unsanitized HTML in anything that goes to front-end. It's 2008, comeon now!

LOL, the guy who allowed it no longer works here... Anyway, should be plugged within a few hours, guys.

[smedleybutler]

Due to the nature of cross site scripting there is no way to tell how many accounts were compromised. Doesn't that mean you assume that all accounts were compromised.

Here is a white paper on xss and its impact on business.

http://www.virtualforge.de/whitepape...ing_impact.pdf

I believe the phrase "compliance violation" comes into play here.

When and how will all the users be contacted? Should I be looking for a letter in the mail?

[BodySpaceAdmin]

LOL, the guy who allowed it no longer works here... Anyway, should be plugged within a few hours, guys.

Hole is plugged now. Thanks to everyone (especially "stephencolbert") to bringing this to our attention!

[smackshosh]

gjdm, i was getting worried there for a minute. maybe you should hire somone to analyze security flaws make sure this doesnt happen again?

[skippy]

Hole is plugged now. Thanks to everyone (especially "stephencolbert") to bringing this to our attention!

All joking aside, cross site scripting is no laughing matter.

I wonder how many accounts were compromised? There is no way of knowing -- just like with identity theft the victim is the last to find out.

The blog went live, what, a year and a half ago? So that security hole has been there all this time and it is only NOW that it got fixed?

Are you guys going to conduct a security audit to find out what other areas of Bodybuilding.com are vulnerable?

Are you going to alert the user base of this security breach? I personally have changed my password and would strongly suggest all members do the same.

[smedleybutler]

I think Pee-Wee Herman said it best.

"It's like you're unraveling a big cable-knit sweater that someone keeps knitting and knitting and knitting and knitting and knitting and knitting..."

[smedleybutler]

Hole is plugged now. Thanks to everyone (especially "stephencolbert") to bringing this to our attention!

Oh Really!

I think StephenColbert should be unbanned so he can show us where the rest of the holes are.

That is if he is willing to come back.

[skippy]

Here is a thread with some of the fallout when a hacker used cross-site-scripting techniques to hijack some Bodybuilding.com accounts.

This was July 2006.

IntensityX hacking...

Rofl, I had almost forgotten about you, Intensity.

I already apologized to Sawastea for having to use his account as the main example. I owe you a BIG apology since I had completely forgotten about your account; and you could have been banned for good.

More then anything though, I'm disappointed. Sawastea seems very angry twords me. As does everyone else. Do you know why they disabled html here? Do you know why they knew that was the MAIN problem? Because I showed them and then told them.

You all are stuck on some raged fixation that I'm a hacker, and I was hacking into your accounts. 50% of that is actually true.

I hacked the accounts only to set an example of how easy it really is to gain access to a staff member's account. True, I could have emailed the admin and told him, but lets look at the fact of the situation. The admin, understandably, will get tons of emails a day. He will attend to those sent by users of urgent importance.

Not only that, but I found the vulnerability, so of course I wanted to check it out. The only harm I've caused is a few spam posts, and a thread about it in the mod section. And the infringement on your privacy? If you keep insulting my charity, I might just detest you enough to do something about it. Please don't insult me for helping the forum you enjoy.

But again, I apologize. I was going to use my account, and then catch a staff's account, and go from there. But I needed an account with posts, so a staff member had reason to look. When that didn't work too much, I spammed, knowing a staff member would come clean it up. Again, I apologize, but I urge you to understand the example I was setting.

With much love to the BB forums and they're safety,
Jack of ConsoleCodes.net


Edit:
To all whom are considering changing your password, go for it. I took control of Intensity's account because it was the first person to be infected. The same goes for Sawastea too; he was the first staff member to become infected. All my logs have been cleared and all information of anyone whos infected is gone. But if your still weary, which is fine, just change your password. No biggie.

[CTB]

I really think this thread should be brought to more peoples attention, shouldnt something be stickied in each of the forums to get people to change their passwords or something?

[thickmasss]

OP banned? lol ..

[Smokin Horn]

interesting

[falconXR]

Wow strong nerds n ****...

[SCOTCHTAPE]

OP banned? This looks like an inside job. Misc detectives.....