lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040305130832.64623.qmail@web25104.mail.ukl.yahoo.com>
Date: Fri, 5 Mar 2004 13:08:32 +0000 (GMT)
From: Shaun Colley <shaunige@...oo.co.uk>
To: bugtraq@...urityfocus.com
Subject: Invision Power Board 1.3 Final Path Disclosure Vulnerability


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product:      Invision Power Board
              http://www.invisionboard.com
Versions:     1.3 Final (and probably lower)     
Bug:          Disclosure of install path
Impact:       Attacker learns the local install
              path of Invision Power Board and the
              htdocs
Date:         March 05, 2004
Author:       Shaun Colley
              Email: shaunige@...oo.co.uk
              WWW: http://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

"Invision Power Board offers many useful features that
will have your members coming back for more. Use the
inbuilt searchable help system to build your own FAQ's
and keep your members updated on future events with
the handy calendar. Create or import different skin
sets to allow your members to choose a style they
like.
Entice posting from returning members with the group
promotion feature, reward loyal members with custom
member titles and neat ranks and icons. Of course,
power is nothing without control, which is why
Invision Power Board has a comprehensive and intuitive
administration control panel..." - From the vendor's
website (http://www.invisionboard.com).

Unfortunately, Invision Power Board 1.3 Final (and
probably earlier versions) is vulnerable to path
disclosure of the forum software and the htdocs,
allowing an attacker to discover the local path
information.



The bug
########

In the "My Controls" section of the board, the user is
given the option of changing their "Personal Photo". 
This feature of the board can be accessed by loading
this URL:

http://www.example.com/forum/index.php?act=UserCP&CODE=photo

Included in the context of that page, the member can
type (or Browse) in the location of their personal
photo on their hard disk, for uploading.  However, if
a filename which is not an actual image file is typed
into the box, and the "Update Photo" button is
pressed, the following PHP warning message is
displayed:

"Warning: getimagesize(): Read error! in
/home/admin/public_html/forum/sources/lib/usercp_functions.php
on line 192"

Or similar, depending on where the board is actually
located.  This presents itself as a minor security
risk, as it could allow an attacker to gain
information which could help him leverage an attack
later.



The exploit
############

To exploit this vulnerability, the following steps
need to be taken:

---
1) Visit this URL:
<http://www.example.com/forum/index.php?act=UserCP&CODE=photo
>

2) Type an invalid filename into the box labelled "OR
upload a new image from your computer", i.e "a"
(without quotes).

3) The message "Warning: getimagesize(): Read error!
in
/home/admin/public_html/forum/sources/lib/usercp_functions.php
on line 192" is displayed.  The member simply needs to
save the information for later, for use during a
potential attack.



The fix
########

No solution exists as of yet.

I have contacted the vendor, InvisionBoard, and expect
a response soon.  As soon as I receive a response
containing information regarding a fix for this minor
issue, I will inform the community.



Credit
#######

This vulnerability was discovered by shaun2k2 / Shaun
Colley.


Shouts:
########

Shouts go to Governmentsecurity.org, houseofmaveric,
rider4life, eclipse, hackcanada.





Thank you for your time.
Shaun.


	
	
		
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ