Suscripción al boletín mensual de elhacker.net
Autor
Bueno, el advisory original del foro de governmentsecurity:
************************************
Código:
Invision Power Board URL Parameter Input Validation Error Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1013863
SecurityTracker URL: http://securitytracker.com/id?1013863
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: May 2 2005
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included: Yes
Version(s): 2.0.3, 2.1 Alpha 2
Description: Arron Ward from GovernmentSecurity.org reported an input validation vulnerability in Invision Power Board. A remote user can conduct cross-site scripting attacks.
The forum software does not properly validate user-supplied input in certain URL parameters. A remote user can create a specially crafted URL that, when loaded by an authenticated target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Invision Power Board software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
http://[target]/index.php?act='><script>alert(document.cookie)</script>
Internet Explorer users are affected. Some other browsers do not execute the resulting HTML.
Other parameters are also affected.
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Invision Power Board software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: No solution was available at the time of this entry.
Vendor URL: www.invisionboard.com/ (Links to External Site)
Cause: Input validation error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: "arron ward" <deadlink@elitemail.org>
Message History: None.
Source Message Contents
==================================
Invision Xss reveals Cookie and session details
by adding = to a script input , on any page can reveal logged in user
cookie and session details including hashes... details below
note:you must be a member for this to work !!
Vendor:http://www.invisionboard.com/
Notified = Yes
29/4/2005
Tested on
IPB 2.0.3
IPB 2.1 Alpha 2
not tested on other versions but i expect they will be vuln also
Tested this on IPB main website forum and it is fully working
also notifed IPB Admin via Private Message
Details:
here is the scripts this will work on various pages for instance : using
IE
Example visit:
http://forums.invisionpower.com/index.php?act
Now by adding an a equal = and script messsage , in this case to reveal
cookies and session path details including user hash ...
='><script>alert(document.cookie)</script>
so XSS full url is :
http://forums.invisionpower.com/index.php?...</script>
again this will work on multipule urls...examples follow
/forum/index.php?act=Members='><script>alert(document.cookie)</script>
/forum/index.php?act='><script>alert(document.cookie)</script>
/forum/index.php?act=calendar='><script>alert(document.cookie)</script>
/forum/index.php?act=Help&CODE=01&HID='><script>alert(document.cookie)</script>
and so on...
regards
ComSec
SecurityTracker Alert ID: 1013863
SecurityTracker URL: http://securitytracker.com/id?1013863
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: May 2 2005
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included: Yes
Version(s): 2.0.3, 2.1 Alpha 2
Description: Arron Ward from GovernmentSecurity.org reported an input validation vulnerability in Invision Power Board. A remote user can conduct cross-site scripting attacks.
The forum software does not properly validate user-supplied input in certain URL parameters. A remote user can create a specially crafted URL that, when loaded by an authenticated target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Invision Power Board software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
http://[target]/index.php?act='><script>alert(document.cookie)</script>
Internet Explorer users are affected. Some other browsers do not execute the resulting HTML.
Other parameters are also affected.
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Invision Power Board software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: No solution was available at the time of this entry.
Vendor URL: www.invisionboard.com/ (Links to External Site)
Cause: Input validation error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: "arron ward" <deadlink@elitemail.org>
Message History: None.
Source Message Contents
==================================
Invision Xss reveals Cookie and session details
by adding = to a script input , on any page can reveal logged in user
cookie and session details including hashes... details below
note:you must be a member for this to work !!
Vendor:http://www.invisionboard.com/
Notified = Yes
29/4/2005
Tested on
IPB 2.0.3
IPB 2.1 Alpha 2
not tested on other versions but i expect they will be vuln also
Tested this on IPB main website forum and it is fully working
also notifed IPB Admin via Private Message
Details:
here is the scripts this will work on various pages for instance : using
IE
Example visit:
http://forums.invisionpower.com/index.php?act
Now by adding an a equal = and script messsage , in this case to reveal
cookies and session path details including user hash ...
='><script>alert(document.cookie)</script>
so XSS full url is :
http://forums.invisionpower.com/index.php?...</script>
again this will work on multipule urls...examples follow
/forum/index.php?act=Members='><script>alert(document.cookie)</script>
/forum/index.php?act='><script>alert(document.cookie)</script>
/forum/index.php?act=calendar='><script>alert(document.cookie)</script>
/forum/index.php?act=Help&CODE=01&HID='><script>alert(document.cookie)</script>
and so on...
regards
ComSec
En línea
