Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22921
HistoryDec 15, 2009 - 12:00 a.m.

Cross-Site Scripting vulnerabilities in Invision Power Board

2009-12-1500:00:00
vulners.com
12

Hello 3APA3A!

I want to warn you about new vulnerabilities in Invision Power Board.

These are Cross-Site Scripting vulnerabilities. Attack is going via
attachment (at click on the attachment in the post at forum or on the link
to this attachment). These are persistent XSS vulnerabilities.

I know for a long time about possibility of attacks via swf-files. So
many years ago I turned off support of swf-files in attachments (and in
avatars and photos). Also I wrote at beginning of 2008 about XSS
vulnerability in IPB (http://websecurity.com.ua/1893/) via embedded flash
files and released fix for it in my MustLive Security Pack
(http://websecurity.com.ua/1896/).

In 2008 there was found Cross-Site Scripting vulnerability in IPB
(http://securityvulns.ru/Tdocument862.html) via htm and html files in
attachments. It was concerned Internet Explorer, in which a code was
executing in context of the site (in Mozilla and Firefox a code was
executing locally). But as I checked at 12.12.2009, in Opera a code also
is executing in context of the site.

And recently there was found new XSS vulnerability in IPB
(http://securityvulns.ru/Wdocument899.html), this time via txt-files.
Which concerns Internet Explorer. In case of htm, html and txt-files (and
also below-mentioned php, rtf and xml-files) the best method of protection
against XSS is turning off of their support at forum (similarly to
swf-files).

At 12.12.2009 I found new Cross-Site Scripting vulnerabilities in
Invision Power Board. Attack is going via files php, rtf and xml (in
attachments).

There are possible next attacks:

  1. Attack via uploading php-files with JavaScript code. Works in IE and
    Opera in context of the site. In browsers Mozilla and Firefox file will
    open locally (not in context of the site) at selecting open in browser.
    Accordingly in case of attack via htm, html and php files at browsers
    Mozilla and Firefox, which open them locally (at selecting in dialog
    window by user), attack at local computer of the user it possible.

  2. Attack via uploading rtf-files with JavaScript code. Works only in
    Internet Explorer.

  3. Attack via uploading xml-files with JavaScript code. Works in Mozilla,
    Firefox, Opera and Chrome (but without access to cookies).

XSS:

For attacks via htm, html, php, rtf and txt-files, it's needed to create
a file with next content (and upload it as attachment to forum):

<script>alert(document.cookie)</script>

I tested on Invision Power Board 1.3 and 2.2.2. All versions of IPB 1.x
(particularly for txt), 2.x and 3.0.x must be vulnerable. Author of
advisory about attack via txt-files noted, that there are filters against
XSS during uploading of the files in IPB 3.0.4, but they can be bypassed.

I made checking in next browsers: Internet Explorer 6 (6.0.2900.2180),
Mozilla 1.7.x, Mozilla Firefox 3.0.15, Opera 9.52 and Google Chrome
1.0.154.48.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/3764/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua