[<prev] [next>] [day] [month] [year] [list]
Message-ID: <011901ca7c2e$658734e0$010000c0@ml>
Date: Sun, 13 Dec 2009 21:55:57 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Cross-Site Scripting vulnerabilities in Invision
Power Board
Hello Full-Disclosure!
I want to warn you about new vulnerabilities in Invision Power Board.
These are Cross-Site Scripting vulnerabilities. Attack is going via
attachment (at click on the attachment in the post at forum or on the link
to this attachment). These are persistent XSS vulnerabilities.
I know for a long time about possibility of attacks via swf-files. So many
years ago I turned off support of swf-files in attachments (and in avatars
and photos). Also I wrote at beginning of 2008 about XSS vulnerability in
IPB (http://websecurity.com.ua/1893/) via embedded flash files and released
fix for it in my MustLive Security Pack (http://websecurity.com.ua/1896/).
In 2008 there was found Cross-Site Scripting vulnerability in IPB
(http://securityvulns.ru/Tdocument862.html) via htm and html files in
attachments. It was concerned Internet Explorer, in which a code was
executing in context of the site (in Mozilla and Firefox a code was
executing locally). But as I checked at 12.12.2009, in Opera a code also is
executing in context of the site.
And recently there was found new XSS vulnerability in IPB
(http://securityvulns.ru/Wdocument899.html), this time via txt-files. Which
concerns Internet Explorer. In case of htm, html and txt-files (and also
below-mentioned php, rtf and xml-files) the best method of protection
against XSS is turning off of their support at forum (similarly to
swf-files).
At 12.12.2009 I found new Cross-Site Scripting vulnerabilities in Invision
Power Board. Attack is going via files php, rtf and xml (in attachments).
There are possible next attacks:
1. Attack via uploading php-files with JavaScript code. Works in IE and
Opera in context of the site. In browsers Mozilla and Firefox file will open
locally (not in context of the site) at selecting open in browser.
Accordingly in case of attack via htm, html and php files at browsers
Mozilla and Firefox, which open them locally (at selecting in dialog window
by user), attack at local computer of the user it possible.
2. Attack via uploading rtf-files with JavaScript code. Works only in
Internet Explorer.
3. Attack via uploading xml-files with JavaScript code. Works in Mozilla,
Firefox, Opera and Chrome (but without access to cookies).
XSS:
For attacks via htm, html, php, rtf and txt-files, it's needed to create a
file with next content (and upload it as attachment to forum):
<script>alert(document.cookie)</script>
I tested on Invision Power Board 1.3 and 2.2.2. All versions of IPB 1.x
(particularly for txt), 2.x and 3.0.x must be vulnerable. Author of advisory
about attack via txt-files noted, that there are filters against XSS during
uploading of the files in IPB 3.0.4, but they can be bypassed.
I made checking in next browsers: Internet Explorer 6 (6.0.2900.2180),
Mozilla 1.7.x, Mozilla Firefox 3.0.15, Opera 9.52 and Google Chrome
1.0.154.48.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/3764/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists