ID CVE-2005-1597 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:32:00
Description
Cross-site scripting (XSS) vulnerability in (1) search.php and (2) topics.php for Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the highlite parameter.
{"osvdb": [{"lastseen": "2017-04-28T13:20:12", "bulletinFamily": "software", "description": "## Vulnerability Description\nInvision Power Board contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'highlite' variable upon submission to the 'topics.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Invision Power Services, Inc. has released a patch to address this vulnerability.\n## Short Description\nInvision Power Board contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'highlite' variable upon submission to the 'topics.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.invisionboard.com/\nVendor Specific Solution URL: http://forums.invisionpower.com/index.php?showtopic=168016\nSecurity Tracker: 1013907\n[Secunia Advisory ID:15265](https://secuniaresearch.flexerasoftware.com/advisories/15265/)\n[Related OSVDB ID: 16297](https://vulners.com/osvdb/OSVDB:16297)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00073-05052005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0071.html\nISS X-Force ID: 20445\nFrSIRT Advisory: ADV-2005-0487\n[CVE-2005-1597](https://vulners.com/cve/CVE-2005-1597)\nBugtraq ID: 13534\n", "modified": "2005-05-05T11:00:40", "published": "2005-05-05T11:00:40", "href": "https://vulners.com/osvdb/OSVDB:16298", "id": "OSVDB:16298", "type": "osvdb", "title": "Invision Power Board topics.php highlite Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2018-01-24T14:28:34", "bulletinFamily": "exploit", "description": "Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities. CVE-2005-1597,CVE-2005-1598. Webapps exploit for PHP platform", "modified": "2015-05-05T00:00:00", "published": "2015-05-05T00:00:00", "id": "EDB-ID:43824", "href": "https://www.exploit-db.com/exploits/43824/", "type": "exploitdb", "title": "Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities", "sourceData": "IP.Board Multiple Vulnerabilities\r\n\r\nVendor: Invision Power Services\r\nProduct: IP.Board\r\nVersion: <= 2.0.3\r\nWebsite: http://www.invisionboard.com/\r\n\r\nBID: 13529 13534 \r\nCVE: CVE-2005-1597 CVE-2005-1598 \r\nOSVDB: 16297 16298 \r\nSECUNIA: 15265 \r\nPACKETSTORM: 39098 \r\n\r\nDescription:\r\nInvision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind. It is used by a great many people all over the world. All versions of Invision Power Board are vulnerable to a serious SQL Injection vulnerability. An attacker does not have to be logged in, or even have access or permission to view the forums in order to exploit this vulnerability. Users should upgrade immediately. \r\n\r\n\r\nCross Site Scripting:\r\nIt is possible for an attacker to conduct Cross Site Scripting attacks in all versions of invision power board prior to the recently released 2.0.4. This vulnerability exists due to data submitted to the \"highlite\" parameter not being sanatized properly when displaying search results. The same issue also exists in \"sources/topics.php\". The only condition is that the data sent to the \"highlite\" parameter must be double hex encoded data in order to bypass the global sanatation methods. \r\n\r\n\r\nSQL Injection:\r\nI have discovered a serious SQL Injection issue in Invision Power Board that affects most all versions of Invision Power Board regardless of most server configurations. Also, because of the fact that UNION functionality is not needed an attacker need not worry if the victim is running an up to date version of MySQL. The vulnerability lies in the way that Invision Board handles certain types of \"login methods\". Let us have a look at the source of 'sources/login.php' \r\n\r\nif ( ! $ibforums->member['id'] )\r\n{\r\n\t$mid = intval($std->my_getcookie('member_id'));\r\n\t$pid = $std->my_getcookie('pass_hash');\r\n\r\n\tIf ($mid and $pid)\r\n\t{\r\n\r\n\t$DB->query(\"SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'\");\r\n\r\n\t\tif ( $member = $DB->fetch_row() )\r\n\t\t{\r\n\t\t\t$ibforums->member = $member;\r\n\t\t\t$ibforums->session_id = \"\";\r\n\t\t\t$std->my_setcookie('session_id','0', -1 );\r\n\t\t}\r\n\t}\r\n}\r\n\r\n\r\n\r\nThis particular portion of code is from the IPB 1.* series, but the vulnerability seems to exists on all versions of IPB (both the 1.* and 2.* series). Anyway, as we can see from the above code the variable $mid is properly forced into an integer datatype and as a result is safe to pass to the query, but what about $pid? In the above code we see that the value of $pid is returned from the my_getcookie() function within the FUNC class. Well, let us have a look at this function to see if $pid is sanatized within the function itself. \r\n\r\nfunction my_getcookie($name)\r\n{\r\n\tglobal $ibforums;\r\n\t\r\n\tif (isset($_COOKIE[$ibforums->vars['cookie_id'].$name]))\r\n\t{\r\n\t\treturn urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);\r\n\t}\r\n\telse\r\n\t{\r\n\t\treturn FALSE;\r\n\t}\r\n}\r\n\r\nIn the above code we can see that not only is the data unsanatized, but the way the urldecode() function is used also lets an attacker bypass magic_quotes_gpc. Now, back to the auto_login() function where we want to concentrate on this bit of code. \r\n\r\n$DB->query(\"SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'\");\r\n\r\nif ( $member = $DB->fetch_row() )\r\n{\r\n\t$ibforums->member = $member;\r\n\t$ibforums->session_id = \"\";\r\n\t$std->my_setcookie('session_id','0', -1 );\r\n}\r\n\r\n\r\n\r\nThis would be a very easy issue to exploit if visible data was returned to the browser, but all we will be able to see is a line in the response header that looks something like this. \r\n\r\nSet-Cookie: session_id=0; path=/; domain=example.com \r\n\r\nIf we see this then we know the query returned true and produced some results. This is not that easy of an issue to exploit, but there are a number of ways to successfully take advantage of this issue. For one an attacker can select member data into an outfile and use thier browser to retrieve that data, or use the MySQL \"mid\" function to enumerate each character of the hash one by one until the entire hash is discovered! In future versions of MySQL issues like this will be a lot easier to exploit as we will then be able to \"SELECT * FROM `blah` INTO TABLE `foobar`\" much like Oracle database for example. With functionality like that an attacker can then do things like dump user data into a message to himself. There is working exploit code for this issue available, but we will not be releasing it publicly. Users should upgrade as soon as possible, as this is a fairly dangerous vulnerability. \r\n\r\n\r\nSolution:\r\nMatthew Mecham addressed these issues in a VERY timely and professional manner and fixes have been available for some time now. \r\n\r\nhttp://forums.invisionpower.com/index.php?showtopic=168016 \r\n\r\nAll users should upgrade thier Invision Power Board installations as soon as possible, as these vulnerabilities make it fairly easy to grab sensitive user data including password hashes from the database. \r\n\r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/43824/"}], "nessus": [{"lastseen": "2019-02-21T01:08:33", "bulletinFamily": "scanner", "description": "According to its banner, the version of Invision Power Board on the remote host suffers from multiple vulnerabilities :\n\n - SQL Injection Vulnerability The application fails to sanitize user-input supplied through the 'pass_hash' cookie in the 'sources/login.php' script, which can be exploited to affect database queries, potentially revealing sensitive information.\n\n - Multiple Cross-Site Scripting Vulnerabilities An attacker can pass arbitrary HTML and script code through the 'highlite' parameter of the 'sources/search.php' and 'sources/topics.php' scripts.", "modified": "2018-11-15T00:00:00", "id": "INVISION_POWER_BOARD_2_0_4.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18203", "published": "2005-05-09T00:00:00", "title": "Invision Power Board < 2.0.4 Multiple Vulnerabilities (SQLi, XSS)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(18203);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-1597\", \"CVE-2005-1598\");\n script_bugtraq_id(13529, 13532, 13534, 13375);\n\n script_name(english:\"Invision Power Board < 2.0.4 Multiple Vulnerabilities (SQLi, XSS)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is vulnerable to\nmultiple attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Invision Power Board on the\nremote host suffers from multiple vulnerabilities :\n\n - SQL Injection Vulnerability\n The application fails to sanitize user-input supplied \n through the 'pass_hash' cookie in the 'sources/login.php'\n script, which can be exploited to affect database\n queries, potentially revealing sensitive information.\n\n - Multiple Cross-Site Scripting Vulnerabilities\n An attacker can pass arbitrary HTML and script code \n through the 'highlite' parameter of the \n 'sources/search.php' and 'sources/topics.php' scripts.\" );\n # http://web.archive.org/web/20080918071547/http://www.gulftech.org/?node=research&article_id=00073-05052005\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?20da0580\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/May/70\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Jul/255\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Invision Power Board 2.0.4 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/05/09\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/05/05\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:invisionpower:invision_power_board\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for multiple vulnerabilities in Invision Power Board < 2.0.4\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"invision_power_board_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/invision_power_board\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/invision_power_board\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n if (ver =~ \"^([01]\\.|2\\.0\\.[0-3][^0-9]*)\")\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
