Invision Power Board IBF Tag Injection

2003-08-23T00:00:00
ID OSVDB:3362
Type osvdb
Reporter OSVDB
Modified 2003-08-23T00:00:00

Description

Vulnerability Description

Invision Power Board allows a remote attacker to inject arbitrary HTML code which may allow altering page content, display and more. The issue is due to unchecked IBF formatting tags in user posted content. Such modified content would allow the attacker to execute the code on subsequent viewer's machines.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, the vulnerability reporter has released a patch to address this vulnerability.

Short Description

Invision Power Board allows a remote attacker to inject arbitrary HTML code which may allow altering page content, display and more. The issue is due to unchecked IBF formatting tags in user posted content. Such modified content would allow the attacker to execute the code on subsequent viewer's machines.

Manual Testing Notes

[IMG]http://www.example.com/some.gif[QUOTE]some.gif[/IMG][/QUOTE]

References:

Vendor URL: http://www.invisionboard.com/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-08/0035.html ISS X-Force ID: 12842 Generic Informational URL: http://www.securitytracker.com/alerts/2003/Aug/1007405.html Bugtraq ID: 8335