[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030804002946.4431.qmail@www.securityfocus.com>
Date: 4 Aug 2003 00:29:46 -0000
From: Daniel Boland <DCBoland@...eyonder.co.uk>
To: bugtraq@...urityfocus.com
Subject: Invision Board spoof and defacement
-INTRO-
All versions of Invisions Board have a flaw in their
input filtering that allows an attacker to completely
mess up Invision's display and in one case I managed to
change the URL of some of the forums links, which could
be used to refer users to fake login sites to collect
passwords etc.
-VENDOR STATUS-
The vendor hasn't been notified because of their
handling of previous vulnerabilties I found in Invision
Board, instead I wrote a patch myself.
-EXPLANATION-
The problem is with the IBF tags used to enhance forum
posts, for example [IMG]www.example.com/some.gif[/IMG]
would be parsed into HTML code to include an image in
the post. When two tags overlap i.e. [QUOTE]bla
[IMG]http://www.example.com/some.gif[/QUOTE]some.gif[/IMG]
the first tag's closing HTML code ends up inside the
image's source string, meaning that the 'quote' never
gets closed. This would lead to the rest of the
document being included as a quote inside the
attacker's post. So far this leads to defacement but
nothing major, however a slight variation of the above
would be:
[IMG]http://www.example.com/some.gif[QUOTE]some.gif[/IMG]
[/QUOTE]
now instead of not closing a quote, we close a quote
without opening it; thus 'escaping' out of our post
area where we can spoof forum links.
-PATCH-
A patch for this is simple, just add code to the [IMG]
parser function to watch out for the following symbols:
<>[]
Your forum may have more vulnerable tags because of
mods you've used, and I suspect the [EMAIL] tag is
vulnerable too - but that would be more of the same and
the following code could be changed to fix that too.
Paste this into /sources/lib/post_parser.php in the
regex_check_image function, just after the max_images
check (that's line 1214 on version 1.2):
// Check if previous tag has left HTML inside this one
or if there's another tag in here (just in case) ~
Daniel Boland
if (preg_match( "/[\<\>\[\]]/", $url))
{
$this->error = 'poss_hack_attempt';
return $default;
}
--------------
~Daniel Boland
Powered by blists - more mailing lists