exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Invision Power Board 3.0.4 Cross Site Scripting

Invision Power Board 3.0.4 Cross Site Scripting
Posted Dec 10, 2009
Authored by Xacker

Invision Power Board versions 2.x through 3.0.4 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 8a46e76274f2800f27e3d9e865aa8fa9c1fdc028ba434775bd668a0212368029

Invision Power Board 3.0.4 Cross Site Scripting

Change Mirror Download
[+] Invision Power Board XSS vulnerability

Software : Invision Power Board (IPB)
Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well)
Remote : Yes
Required : Internet Explorer +5.0
Vendor : http://www.invisionpower.com/
Download : Commercially available
Author : Xacker
Contact : N/A
Blog : http://xacker.wordpress.com
Website : N/A


[+] Technical details

IP.Board is prone to XSS attacks through maliciously crafted *.txt
files attachments. An attacker has to convince a user to view the
malicious file in order to run the evil code.

The only browser found affected is Internet Explorer +5.0, other
browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or
simply blindly?)

IP.Board v2.x set the MIME-type of *.txt files to
(application/x-dirview). If the *.txt file contains JavaScript/HTML it
will simply be parsed on IE +5.

IP.Board v3.0.4 (and prior) seems to check the content of the files
before permitting them, tags like "<body> , <script> , etc.." are
flagged *dangerous* any file containing any of them simply fail to be
uploaded. The filter itself is weak, to escape it I provide a
proof-of-concept code below.


[+] Exploit

--------------------------------->8---------------------------------
<span onmouseover="javascript:alert('XSS');function
fakeLoginPage(){...}">move your mouse pointer here</span>
---------------------------------8<---------------------------------

fakeLoginPage() function can be used to rewrite the whole page,
faking a login page through an embedded iframe.


[+] Fix

Simply change MIME-type of *.txt files (and any other similar
formats) to (text/plain).


[+] Note

IP.Board technical staff has been notified of the issue and a fix has
been released couple of days ago:
http://community.invisionpower.com/topic/300051-invision-power-board-305-released/
Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close