[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cross-Site Scripting vulnerabilities in Invision Power Board

Hello Bugtraq!

I want to warn you about new vulnerabilities in Invision Power Board.

These are Cross-Site Scripting vulnerabilities. Attack is going via attachment (at click on the attachment in the post at forum or on the link to this attachment). These are persistent XSS vulnerabilities.

I know for a long time about possibility of attacks via swf-files. So many years ago I turned off support of swf-files in attachments (and in avatars and photos). Also I wrote at beginning of 2008 about XSS vulnerability in IPB (http://websecurity.com.ua/1893/) via embedded flash files and released fix for it in my MustLive Security Pack (http://websecurity.com.ua/1896/).

In 2008 there was found Cross-Site Scripting vulnerability in IPB (http://securityvulns.ru/Tdocument862.html) via htm and html files in attachments. It was concerned Internet Explorer, in which a code was executing in context of the site (in Mozilla and Firefox a code was executing locally). But as I checked at 12.12.2009, in Opera a code also is executing in context of the site.

And recently there was found new XSS vulnerability in IPB (http://securityvulns.ru/Wdocument899.html), this time via txt-files. Which concerns Internet Explorer. In case of htm, html and txt-files (and also below-mentioned php, rtf and xml-files) the best method of protection against XSS is turning off of their support at forum (similarly to swf-files).

At 12.12.2009 I found new Cross-Site Scripting vulnerabilities in Invision Power Board. Attack is going via files php, rtf and xml (in attachments).

There are possible next attacks:

1. Attack via uploading php-files with JavaScript code. Works in IE and Opera in context of the site. In browsers Mozilla and Firefox file will open locally (not in context of the site) at selecting open in browser. Accordingly in case of attack via htm, html and php files at browsers Mozilla and Firefox, which open them locally (at selecting in dialog window by user), attack at local computer of the user it possible.

2. Attack via uploading rtf-files with JavaScript code. Works only in Internet Explorer.

3. Attack via uploading xml-files with JavaScript code. Works in Mozilla, Firefox, Opera and Chrome (but without access to cookies).


For attacks via htm, html, php, rtf and txt-files, it's needed to create a file with next content (and upload it as attachment to forum):


I tested on Invision Power Board 1.3 and 2.2.2. All versions of IPB 1.x (particularly for txt), 2.x and 3.0.x must be vulnerable. Author of advisory about attack via txt-files noted, that there are filters against XSS during uploading of the files in IPB 3.0.4, but they can be bypassed.

I made checking in next browsers: Internet Explorer 6 (6.0.2900.2180), Mozilla 1.7.x, Mozilla Firefox 3.0.15, Opera 9.52 and Google Chrome

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/3764/).

Best wishes & regards,
Administrator of Websecurity web site