Invision Power Board URL Parameter Input Validation Error Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013863
|
|
SecurityTracker URL: http://securitytracker.com/id?1013863
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 2 2005
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.0.3, 2.1 Alpha 2
|
Description: Arron Ward from GovernmentSecurity.org reported an input validation vulnerability in Invision Power Board. A remote user can conduct cross-site scripting attacks.
The forum software does not properly validate user-supplied input in certain URL parameters. A remote user can create a specially
crafted URL that, when loaded by an authenticated target user, will cause arbitrary scripting code to be executed by the target
user's browser. The code will originate from the site running the Invision Power Board software and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
A demonstration exploit URL is provided:
http://[target]/index.php?act='><script>alert(document.cookie)</script>
Internet
Explorer users are affected. Some other browsers do not execute the resulting HTML.
Other parameters are also affected.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Invision Power Board software, access data recently submitted by the target user via web form to the site, or take actions on the
site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.invisionboard.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "arron ward" <deadlink@elitemail.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 29 Apr 2005 08:47:37 -0700
From: "arron ward" <deadlink@elitemail.org>
Subject: Invision Xss reveals Cookie and session details
|
Invision Xss reveals Cookie and session details
by adding = to a script input , on any page can reveal logged in user
cookie and session details including hashes... details below
note:you must be a member for this to work !!
Vendor:http://www.invisionboard.com/
Notified = Yes
29/4/2005
Tested on
IPB 2.0.3
IPB 2.1 Alpha 2
not tested on other versions but i expect they will be vuln also
Tested this on IPB main website forum and it is fully working
also notifed IPB Admin via Private Message
Details:
here is the scripts this will work on various pages for instance : using
IE
Example visit:
http://forums.invisionpower.com/index.php?act
Now by adding an a equal = and script messsage , in this case to reveal
cookies and session path details including user hash ...
='><script>alert(document.cookie)</script>
so XSS full url is :
http://forums.invisionpower.com/index.php?act='><script>alert(document.cookie)</script>
again this will work on multipule urls...examples follow
/forum/index.php?act=Members='><script>alert(document.cookie)</script>
/forum/index.php?act='><script>alert(document.cookie)</script>
/forum/index.php?act=calendar='><script>alert(document.cookie)</script>
/forum/index.php?act=Help&CODE=01&HID='><script>alert(document.cookie)</script>
and so on...
regards
ComSec
co/Admin
http://www.governmentsecurity.org/forum
--
arron ward
deadlink@elitemail.org
|
|
