TUCoPS :: Web BBS :: Frequently Exploited :: pbxss.txt

InVision Power Board XSS

Informations :
רררררררררררררר
Language : PHP
Version : 1.2 FINAL
Website : <http://www.invisionboard.com/>
Problem : Permanent XSS

Dev :
ררררר
[FONT=expression(alert(document.cookie))]text[/FONT] will made the HTML :
<span style='font-family:expression(alert(document.cookie))'>text</span>
[COLOR=expression(alert(document.cookie))]texte[/COLOR] will made the HTML :
<span style='color:expression(alert(document.cookie))'>text</span>

and the javascript alert(document.cookie) will be executed.

Solution :
ררררררררר
A patch can be found on <http://www.phpsecure.info>.
In sources/lib/post_parser.php , just replace the lines :
-----------------------------------------------------------------------------------------------------------------------------
while ( preg_match( "#\[font=([^\]]+)\](.*?)\[/font\]#ies", $txt ) )
{
$txt = preg_replace( "#\[font=([^\]]+)\](.*?)\[/font\]#ies" , 
"\$this->regex_font_attr(array('s'=>'font','1'=>'\\1','2'=>'\\2'))", $txt );
}

while( preg_match( "#\[color=([^\]]+)\](.+?)\[/color\]#ies", $txt ) )
{
$txt = preg_replace( "#\[color=([^\]]+)\](.+?)\[/color\]#ies" , 
"\$this->regex_font_attr(array('s'=>'col' ,'1'=>'\\1','2'=>'\\2'))", $txt );
}
-----------------------------------------------------------------------------------------------------------------------------

by the lines :

-----------------------------------------------------------------------------------------------------------------------------
while ( preg_match( "#\[font=([^;<>\*\(\)\]\"']*)\](.*?)\[/font\]#ies", $txt 
) )
{
$txt = preg_replace( "#\[font=([^;<>\*\(\)\"']*)\](.*?)\[/font\]#ies" , 
"\$this->regex_font_attr(array('s'=>'font','1'=>'\\1','2'=>'\\2'))", $txt );
}

while( preg_match( "#\[color=([a-zA-Z0-9]*)\](.+?)\[/color\]#ies", $txt ) )
{
$txt = preg_replace( "#\[color=([a-zA-Z0-9]*)\](.+?)\[/color\]#ies" , 
"\$this->regex_font_attr(array('s'=>'col' ,'1'=>'\\1','2'=>'\\2'))", $txt );
}
-----------------------------------------------------------------------------------------------------------------------------

More Details :
רררררררררררר
in french : <http://www.phpsecure.info/v2/tutos/InvisionPowerBoard1.2F.txt>







frog-m@n <mailto:frog-m@n> (<http://www.phpsecure.info>)

_________________________________________________________________
Hotmail: votre e-mail gratuit ! <http://www.fr.msn.be/hotmail>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH