Invision Power Board 3.0.4 Cross Site Scripting

2009-12-10T00:00:00
ID PACKETSTORM:83624
Type packetstorm
Reporter Xacker
Modified 2009-12-10T00:00:00

Description

                                        
                                            `[+] Invision Power Board XSS vulnerability  
  
Software : Invision Power Board (IPB)  
Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well)  
Remote : Yes  
Required : Internet Explorer +5.0  
Vendor : http://www.invisionpower.com/  
Download : Commercially available  
Author : Xacker  
Contact : N/A  
Blog : http://xacker.wordpress.com  
Website : N/A  
  
  
[+] Technical details  
  
IP.Board is prone to XSS attacks through maliciously crafted *.txt  
files attachments. An attacker has to convince a user to view the  
malicious file in order to run the evil code.  
  
The only browser found affected is Internet Explorer +5.0, other  
browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or  
simply blindly?)  
  
IP.Board v2.x set the MIME-type of *.txt files to  
(application/x-dirview). If the *.txt file contains JavaScript/HTML it  
will simply be parsed on IE +5.  
  
IP.Board v3.0.4 (and prior) seems to check the content of the files  
before permitting them, tags like "<body> , <script> , etc.." are  
flagged *dangerous* any file containing any of them simply fail to be  
uploaded. The filter itself is weak, to escape it I provide a  
proof-of-concept code below.  
  
  
[+] Exploit  
  
--------------------------------->8---------------------------------  
<span onmouseover="javascript:alert('XSS');function  
fakeLoginPage(){...}">move your mouse pointer here</span>  
---------------------------------8<---------------------------------  
  
fakeLoginPage() function can be used to rewrite the whole page,  
faking a login page through an embedded iframe.  
  
  
[+] Fix  
  
Simply change MIME-type of *.txt files (and any other similar  
formats) to (text/plain).  
  
  
[+] Note  
  
IP.Board technical staff has been notified of the issue and a fix has  
been released couple of days ago:  
http://community.invisionpower.com/topic/300051-invision-power-board-305-released/  
`