Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Advisory 02/2009: PHPIDS Unserialize()
Vulnerability

  Advisory 03/2009: Piwik Cookie unserialize()
Vulnerability

  Zen Cart local file disclosure vulnerability

  PhpShop Multiple Vulnerabilities

From:Xacker <old.good.xacker_(at)_gmail.com>
Date:9 декабря 2009 г.
Subject:IPB v2.x up to 3.0.4 XSS vulnerability

[+] Invision Power Board XSS vulnerability

       Software : Invision Power Board (IPB)
       Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well)
       Remote   : Yes
       Required : Internet Explorer +5.0
       Vendor   : http://www.invisionpower.com/
       Download : Commercially available
       Author   : Xacker
       Contact  : N/A
       Blog     : http://xacker.wordpress.com
       Website  : N/A


[+] Technical details

       IP.Board is prone to XSS attacks through maliciously crafted *.txt
files attachments. An attacker has to convince a user to view the
malicious file in order to run the evil code.

       The only browser found affected is Internet Explorer +5.0, other
browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or
simply blindly?)

       IP.Board v2.x set the MIME-type of *.txt files to
(application/x-dirview). If the *.txt file contains JavaScript/HTML it
will simply be parsed on IE +5.

       IP.Board v3.0.4 (and prior) seems to check the content of the files
before permitting them, tags like "<body> , <script> , etc.." are
flagged *dangerous* any file containing any of them simply fail to be
uploaded. The filter itself is weak, to escape it I provide a
proof-of-concept code below.


[+] Exploit

       --------------------------------->8---------------------------------
       <span onmouseover="javascript:alert('XSS');function
fakeLoginPage(){...}">move your mouse pointer here</span>
       ---------------------------------8<---------------------------------

       fakeLoginPage() function can be used to rewrite the whole page,
faking a login page through an embedded iframe.


[+] Fix

       Simply change MIME-type of *.txt files (and any other similar
formats) to (text/plain).


[+] Note

       IP.Board technical staff has been notified of the issue and a fix has
been released couple of days ago:
       http://community.invisionpower.com/topic/300051-invision-power-board-305-r
eleased/

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород