<<< Date Index >>>     <<< Thread Index >>>

Invision Power Board 1.3 Final Path Disclosure Vulnerability



~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product:      Invision Power Board
              http://www.invisionboard.com
Versions:     1.3 Final (and probably lower)     
Bug:          Disclosure of install path
Impact:       Attacker learns the local install
              path of Invision Power Board and the
              htdocs
Date:         March 05, 2004
Author:       Shaun Colley
              Email: shaunige@xxxxxxxxxxx
              WWW: http://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

"Invision Power Board offers many useful features that
will have your members coming back for more. Use the
inbuilt searchable help system to build your own FAQ's
and keep your members updated on future events with
the handy calendar. Create or import different skin
sets to allow your members to choose a style they
like.
Entice posting from returning members with the group
promotion feature, reward loyal members with custom
member titles and neat ranks and icons. Of course,
power is nothing without control, which is why
Invision Power Board has a comprehensive and intuitive
administration control panel..." - From the vendor's
website (http://www.invisionboard.com).

Unfortunately, Invision Power Board 1.3 Final (and
probably earlier versions) is vulnerable to path
disclosure of the forum software and the htdocs,
allowing an attacker to discover the local path
information.



The bug
########

In the "My Controls" section of the board, the user is
given the option of changing their "Personal Photo". 
This feature of the board can be accessed by loading
this URL:

http://www.example.com/forum/index.php?act=UserCP&CODE=photo

Included in the context of that page, the member can
type (or Browse) in the location of their personal
photo on their hard disk, for uploading.  However, if
a filename which is not an actual image file is typed
into the box, and the "Update Photo" button is
pressed, the following PHP warning message is
displayed:

"Warning: getimagesize(): Read error! in
/home/admin/public_html/forum/sources/lib/usercp_functions.php
on line 192"

Or similar, depending on where the board is actually
located.  This presents itself as a minor security
risk, as it could allow an attacker to gain
information which could help him leverage an attack
later.



The exploit
############

To exploit this vulnerability, the following steps
need to be taken:

---
1) Visit this URL:
<http://www.example.com/forum/index.php?act=UserCP&CODE=photo
>

2) Type an invalid filename into the box labelled "OR
upload a new image from your computer", i.e "a"
(without quotes).

3) The message "Warning: getimagesize(): Read error!
in
/home/admin/public_html/forum/sources/lib/usercp_functions.php
on line 192" is displayed.  The member simply needs to
save the information for later, for use during a
potential attack.



The fix
########

No solution exists as of yet.

I have contacted the vendor, InvisionBoard, and expect
a response soon.  As soon as I receive a response
containing information regarding a fix for this minor
issue, I will inform the community.



Credit
#######

This vulnerability was discovered by shaun2k2 / Shaun
Colley.


Shouts:
########

Shouts go to Governmentsecurity.org, houseofmaveric,
rider4life, eclipse, hackcanada.





Thank you for your time.
Shaun.


        
        
                
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html