OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Invision Power Board 2.1 : Multiple XSS Vulnerabilities

From: Jerome Athias (jerome.athiasfree.fr)
Date: Sun Nov 06 2005 - 02:55:54 CST


Fast translation of benji's advisory
*******************************************************************************

Author : benjilenoob
WebSite : http://benji.redkod.org/ and http://www.redkod.org/
Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf

Product : Invision power board
Version : 2.1
Tisk : Low. XSS

I- XSS non critical:
--------------------

1. Input passed to the $address variable isn't properly verified in
the administrative section.
    This can be exploited by providing a valid login, and javascript
code in the variable.
    The code will be executed in a user's browser session in context of
an affected site.
  
   PoC:
  
http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]&act=login&code=login-complete
  
  
   This could be exploited to steal cookie information.

2. Input passed to the "ACP Notes" textarea field in the administrative
section isn't properly verified.
    This can be exploited to insert javascript code in the notes.
    The code will be executed in a user's browser session in context of
an affected site.
   
    PoC:

   </textarea>'"/><script>alert(document.cookie)</script>

3. Input passed to the "Member's Log In User Name", "Member's Display
Name", "Email Address contains...", "IP Address contains...",
   "AIM name contains...", "ICQ Number contains...", "Yahoo! Identity
contains...", "Signature contains...",
   "Less than n posts", "Registered Between (MM-DD-YYYY)", "Last Post
Between (MM-DD-YYYY)" and
   "Last Active Between (MM-DD-YYYY)" members profiles parameters in the
administrative section isn't properly verified.
   This can be exploited to insert javascript code.

4. Non-permanent XSS:
  
http://localhost/2p1p0b3/upload/admin.php?adsess=[id]&section=content&act=forum&code=new&name=[xss]

5. Non-permanent XSS after administrative login:
   http://localhost/2p1p0b3/upload/admin.php?name=[xss]&description=[xss]

6. Input passed to the "description" field of a "Component" in the
"Components" section of the administrative section isn't properly verified.
    This can be exploited to insert javascript code.

    PoC:
   
   </textarea>'"/><script>alert()</script>

7. Input passed to the "Member Name", "Password", "Email Address" fields
of a new member's profile in the administrative section isn't properly
verified.
    This can be exploited to insert javascript code.

8. Input passed to the "Group Icon Image" field of a new Group in the
administrative section isn't properly verified.
   This can be exploited to insert javascript code.

9. Input passed to the "Calendar: Title" of a new Calendar in the
administrative section isn't properly verified.
    This can be exploited to insert javascript code.

Benji
Team RedKod
http://www.redkod.org/

*******************************************************************************

Regards,
/JA

http://www.securinfos.info