Invision Power Board : XSS in [FONT] and [COLOR] tags.
2003-09-13T00:00:00
ID SECURITYVULNS:DOC:5105 Type securityvulns Reporter Securityvulns Modified 2003-09-13T00:00:00
Description
Informations :
°°°°°°°°°°°°°°
Language : PHP
Version : 1.2 FINAL
Website : http://www.invisionboard.com/
Problem : Permanent XSS
Dev :
°°°°°
[FONT=expression(alert(document.cookie))]text[/FONT] will made the HTML :
<span style='font-family:expression(alert(document.cookie))'>text</span>
[COLOR=expression(alert(document.cookie))]texte[/COLOR] will made the HTML :
<span style='color:expression(alert(document.cookie))'>text</span>
and the javascript alert(document.cookie) will be executed.
Solution :
°°°°°°°°°
A patch can be found on http://www.phpsecure.info.
In sources/lib/post_parser.php , just replace the lines :
{"id": "SECURITYVULNS:DOC:5105", "bulletinFamily": "software", "title": "Invision Power Board : XSS in [FONT] and [COLOR] tags.", "description": "Informations :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nLanguage : PHP\r\nVersion : 1.2 FINAL\r\nWebsite : http://www.invisionboard.com/\r\nProblem : Permanent XSS\r\n\r\nDev :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\r\n[FONT=expression(alert(document.cookie))]text[/FONT] will made the HTML :\r\n<span style='font-family:expression(alert(document.cookie))'>text</span>\r\n[COLOR=expression(alert(document.cookie))]texte[/COLOR] will made the HTML :\r\n<span style='color:expression(alert(document.cookie))'>text</span>\r\n\r\nand the javascript alert(document.cookie) will be executed.\r\n\r\nSolution :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nA patch can be found on http://www.phpsecure.info.\r\nIn sources/lib/post_parser.php , just replace the lines :\r\n-----------------------------------------------------------------------------------------------------------------------------\r\nwhile ( preg_match( "#\[font=([^\]]+)\](.*?)\[/font\]#ies", $txt ) )\r\n{\r\n $txt = preg_replace( "#\[font=([^\]]+)\](.*?)\[/font\]#ies" , \r\n"\$this->regex_font_attr(array('s'=>'font','1'=>'\\1','2'=>'\\2'))", $txt );\r\n}\r\n\r\nwhile( preg_match( "#\[color=([^\]]+)\](.+?)\[/color\]#ies", $txt ) )\r\n{\r\n $txt = preg_replace( "#\[color=([^\]]+)\](.+?)\[/color\]#ies" , \r\n"\$this->regex_font_attr(array('s'=>'col' ,'1'=>'\\1','2'=>'\\2'))", $txt );\r\n}\r\n-----------------------------------------------------------------------------------------------------------------------------\r\n\r\nby the lines :\r\n\r\n-----------------------------------------------------------------------------------------------------------------------------\r\nwhile ( preg_match( "#\[font=([^;<>\*\(\)\]\"']*)\](.*?)\[/font\]#ies", $txt \r\n) )\r\n{\r\n $txt = preg_replace( "#\[font=([^;<>\*\(\)\"']*)\](.*?)\[/font\]#ies" , \r\n"\$this->regex_font_attr(array('s'=>'font','1'=>'\\1','2'=>'\\2'))", $txt );\r\n}\r\n\r\nwhile( preg_match( "#\[color=([a-zA-Z0-9]*)\](.+?)\[/color\]#ies", $txt ) )\r\n{\r\n $txt = preg_replace( "#\[color=([a-zA-Z0-9]*)\](.+?)\[/color\]#ies" , \r\n"\$this->regex_font_attr(array('s'=>'col' ,'1'=>'\\1','2'=>'\\2'))", $txt );\r\n}\r\n-----------------------------------------------------------------------------------------------------------------------------\r\n\r\nMore Details :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nin french : http://www.phpsecure.info/v2/tutos/InvisionPowerBoard1.2F.txt\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nfrog-m@n (http://www.phpsecure.info)\r\n\r\n_________________________________________________________________\r\nHotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail\r\n", "published": "2003-09-13T00:00:00", "modified": "2003-09-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5105", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 0, "enchantments": {"score": {"value": 2.5, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 2.5}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://112[.]123.156.3:38711/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **58**.\n First seen: 2021-02-19T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-19T00:00:00", "id": "RST:ECF069B2-5105-3E75-BCA8-F3E293835B53", "href": "", "published": "2021-02-27T00:00:00", "title": "RST Threat feed. IOC: http://112.123.156.3:38711/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://darmatic[.]co.rs/ds/1502.gif** in [RST Threat Feed](https://rstcloud.net/profeed) with score **15**.\n First seen: 2021-02-16T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **generic**.\nIt was found that the IOC is used by: **qakbot**.\nIOC could be a **False Positive** (Resource unavailable).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-16T00:00:00", "id": "RST:3225F1E6-5105-388A-BF4F-A995D0DEE17F", "href": "", "published": "2021-02-27T00:00:00", "title": "RST Threat feed. IOC: http://darmatic.co.rs/ds/1502.gif", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]223.9.66** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **6**.\n First seen: 2020-10-05T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **generic**.\nASN 65536: (First IP 103.223.8.0, Last IP 103.223.9.255).\nASN Name \"AS65536\" and Organisation \"\".\nASN hosts 0 domains.\nGEO IP information: City \"Chandigarh\", Country \"India\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-05T00:00:00", "id": "RST:385CA402-5105-32B5-8490-9390E74101CA", "href": "", "published": "2021-02-27T00:00:00", "title": "RST Threat feed. IOC: 103.223.9.66", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **101[.]32.72.24** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-10-20T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 132203: (First IP 101.32.18.0, Last IP 101.32.112.255).\nASN Name \"TENCENTNETAPCN\" and Organisation \"Tencent Building Kejizhongyi Avenue\".\nASN hosts 951777 domains.\nGEO IP information: City \"Central\", Country \"Hong Kong\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-20T00:00:00", "id": "RST:24EEE908-5105-31EF-9F56-66340E64C68B", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 101.32.72.24", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **monre[.]chunkypools.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:4634A733-5105-3045-B578-F43B6D3956EE", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: monre.chunkypools.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **38[.]us.api.binance.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:5377E597-5105-390E-A87F-09266D285325", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: 38.us.api.binance.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **elbe[.]api.coinhive.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:DC3FFEEA-5105-302D-A374-C1D0FE2C3A18", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: elbe.api.coinhive.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **wallet[.]api.nanopool.org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:782987DE-5105-3A46-B1BE-984F0DEE644C", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: wallet.api.nanopool.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **imap1[.]ytpfmnmgyjinxrhe.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **16**.\n First seen: 2020-11-17T03:00:00, Last seen: 2021-02-22T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 131[.]253.18.12\nWhois:\n Created: 2011-09-05 10:04:18, \n Registrar: MarkMonitor Inc, \n Registrant: Digital Crimes Unit.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-17T00:00:00", "id": "RST:02735018-5105-3BCB-A00C-D6B5370E85F4", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: imap1.ytpfmnmgyjinxrhe.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 stratum8.beeppool.org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:AE24A7EF-5105-3657-80BF-1F954771784E", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 stratum8.beeppool.org", "type": "rst", "cvss": {}}]}
