IPB v2.x up to 3.0.4 XSS vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2009-12-09T00:00:00


[+] Invision Power Board XSS vulnerability

    Software : Invision Power Board (IPB)
    Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well)
    Remote   : Yes
    Required : Internet Explorer +5.0
    Vendor   : http://www.invisionpower.com/
    Download : Commercially available
    Author   : Xacker
    Contact  : N/A
    Blog     : http://xacker.wordpress.com
    Website  : N/A

[+] Technical details

    IP.Board is prone to XSS attacks through maliciously crafted *.txt

files attachments. An attacker has to convince a user to view the malicious file in order to run the evil code.

    The only browser found affected is Internet Explorer +5.0, other

browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or simply blindly?)

    IP.Board v2.x set the MIME-type of *.txt files to

(application/x-dirview). If the *.txt file contains JavaScript/HTML it will simply be parsed on IE +5.

    IP.Board v3.0.4 (and prior) seems to check the content of the files

before permitting them, tags like "<body> , <script> , etc.." are flagged dangerous any file containing any of them simply fail to be uploaded. The filter itself is weak, to escape it I provide a proof-of-concept code below.

[+] Exploit

    &lt;span onmouseover=&quot;javascript:alert&#40;&#39;XSS&#39;&#41;;function

fakeLoginPage(){...}">move your mouse pointer here</span> ---------------------------------8<---------------------------------

    fakeLoginPage&#40;&#41; function can be used to rewrite the whole page,

faking a login page through an embedded iframe.

[+] Fix

    Simply change MIME-type of *.txt files &#40;and any other similar

formats) to (text/plain).

[+] Note

    IP.Board technical staff has been notified of the issue and a fix has

been released couple of days ago: http://community.invisionpower.com/topic/300051-invision-power-board-305-released/