lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Dec 2009 09:50:13 +0200
From: Xacker <>
Subject: IPB v2.x up to 3.0.4 XSS vulnerability

[+] Invision Power Board XSS vulnerability

	Software : Invision Power Board (IPB)
	Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well)
	Remote   : Yes
	Required : Internet Explorer +5.0
	Vendor   :
	Download : Commercially available
	Author   : Xacker
	Contact  : N/A
	Blog     :
	Website  : N/A

[+] Technical details

	IP.Board is prone to XSS attacks through maliciously crafted *.txt
files attachments. An attacker has to convince a user to view the
malicious file in order to run the evil code.

	The only browser found affected is Internet Explorer +5.0, other
browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or
simply blindly?)

	IP.Board v2.x set the MIME-type of *.txt files to
(application/x-dirview). If the *.txt file contains JavaScript/HTML it
will simply be parsed on IE +5.

	IP.Board v3.0.4 (and prior) seems to check the content of the files
before permitting them, tags like "<body> , <script> , etc.." are
flagged *dangerous* any file containing any of them simply fail to be
uploaded. The filter itself is weak, to escape it I provide a
proof-of-concept code below.

[+] Exploit

	<span onmouseover="javascript:alert('XSS');function
fakeLoginPage(){...}">move your mouse pointer here</span>

	fakeLoginPage() function can be used to rewrite the whole page,
faking a login page through an embedded iframe.

[+] Fix

	Simply change MIME-type of *.txt files (and any other similar
formats) to (text/plain).

[+] Note

	IP.Board technical staff has been notified of the issue and a fix has
been released couple of days ago:

Powered by blists - more mailing lists