Invision Power Board Attachment Cross Site Scripting

Type packetstorm
Reporter MustLive
Modified 2009-12-15T00:00:00


                                            `Hello Bugtraq!  
I want to warn you about new vulnerabilities in Invision Power Board.  
These are Cross-Site Scripting vulnerabilities. Attack is going via   
attachment (at click on the attachment in the post at forum or on the link   
to this attachment). These are persistent XSS vulnerabilities.  
I know for a long time about possibility of attacks via swf-files. So many   
years ago I turned off support of swf-files in attachments (and in avatars   
and photos). Also I wrote at beginning of 2008 about XSS vulnerability in   
IPB ( via embedded flash files and released   
fix for it in my MustLive Security Pack (  
In 2008 there was found Cross-Site Scripting vulnerability in IPB   
( via htm and html files in   
attachments. It was concerned Internet Explorer, in which a code was   
executing in context of the site (in Mozilla and Firefox a code was   
executing locally). But as I checked at 12.12.2009, in Opera a code also is   
executing in context of the site.  
And recently there was found new XSS vulnerability in IPB   
(, this time via txt-files. Which   
concerns Internet Explorer. In case of htm, html and txt-files (and also   
below-mentioned php, rtf and xml-files) the best method of protection   
against XSS is turning off of their support at forum (similarly to   
At 12.12.2009 I found new Cross-Site Scripting vulnerabilities in Invision   
Power Board. Attack is going via files php, rtf and xml (in attachments).  
There are possible next attacks:  
1. Attack via uploading php-files with JavaScript code. Works in IE and   
Opera in context of the site. In browsers Mozilla and Firefox file will open   
locally (not in context of the site) at selecting open in browser.   
Accordingly in case of attack via htm, html and php files at browsers   
Mozilla and Firefox, which open them locally (at selecting in dialog window   
by user), attack at local computer of the user it possible.  
2. Attack via uploading rtf-files with JavaScript code. Works only in   
Internet Explorer.  
3. Attack via uploading xml-files with JavaScript code. Works in Mozilla,   
Firefox, Opera and Chrome (but without access to cookies).  
For attacks via htm, html, php, rtf and txt-files, it's needed to create a   
file with next content (and upload it as attachment to forum):  
I tested on Invision Power Board 1.3 and 2.2.2. All versions of IPB 1.x   
(particularly for txt), 2.x and 3.0.x must be vulnerable. Author of advisory   
about attack via txt-files noted, that there are filters against XSS during   
uploading of the files in IPB 3.0.4, but they can be bypassed.  
I made checking in next browsers: Internet Explorer 6 (6.0.2900.2180),   
Mozilla 1.7.x, Mozilla Firefox 3.0.15, Opera 9.52 and Google Chrome  
I mentioned about these vulnerabilities at my site   
Best wishes & regards,  
Administrator of Websecurity web site