lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <436DC51A.3040607@free.fr>
Date: Sun, 06 Nov 2005 09:55:54 +0100
From: Jerome Athias <jerome.athias@...e.fr>
To: benjilenoob@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Invision Power Board 2.1 : Multiple XSS Vulnerabilities

Fast translation of benji's advisory
*******************************************************************************

Author : benjilenoob
WebSite : http://benji.redkod.org/ and http://www.redkod.org/
Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf

Product : Invision power board
Version : 2.1
Tisk : Low. XSS

I- XSS non critical:
--------------------

1.    Input passed to the $address variable isn't properly verified in
the administrative section.
    This can be exploited by providing a valid login, and javascript
code in the variable.
    The code will be executed in a user's browser session in context of
an affected site.
  
   PoC:
  
http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]&act=login&code=login-complete
  
  
   This could be exploited to steal cookie information.

2. Input passed to the "ACP Notes" textarea field in the administrative
section isn't properly verified.
    This can be exploited to insert javascript code in the notes.
    The code will be executed in a user's browser session in context of
an affected site.
   
    PoC:

   </textarea>'"/><script>alert(document.cookie)</script>

3.    Input passed to the "Member's Log In User Name", "Member's Display
Name", "Email Address contains...", "IP Address contains...",
   "AIM name contains...", "ICQ Number contains...", "Yahoo! Identity
contains...", "Signature contains...",
   "Less than n posts", "Registered Between (MM-DD-YYYY)", "Last Post
Between (MM-DD-YYYY)" and
   "Last Active Between (MM-DD-YYYY)" members profiles parameters in the
administrative section isn't properly verified.
   This can be exploited to insert javascript code.

4. Non-permanent XSS:
  
http://localhost/2p1p0b3/upload/admin.php?adsess=[id]&section=content&act=forum&code=new&name=[xss]

5. Non-permanent XSS after administrative login:
   http://localhost/2p1p0b3/upload/admin.php?name=[xss]&description=[xss]

6.    Input passed to the "description" field of a "Component" in the
"Components" section of the administrative section isn't properly verified.
    This can be exploited to insert javascript code.

    PoC:
   
   </textarea>'"/><script>alert()</script>

7. Input passed to the "Member Name", "Password", "Email Address" fields
of a new member's profile in the administrative section isn't properly
verified.
    This can be exploited to insert javascript code.

8. Input passed to the "Group Icon Image" field of a new Group in the
administrative section isn't properly verified.
   This can be exploited to insert javascript code.

9. Input passed to the "Calendar: Title" of a new Calendar in the
administrative section isn't properly verified.
    This can be exploited to insert javascript code.

Benji
Team RedKod
http://www.redkod.org/

*******************************************************************************

Regards,
/JA

http://www.securinfos.info


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ