Fast translation of benji's advisory ******************************************************************************* Author : benjilenoob WebSite : http://benji.redkod.org/ and http://www.redkod.org/ Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf Product : Invision power board Version : 2.1 Tisk : Low. XSS I- XSS non critical: -------------------- 1. Input passed to the $address variable isn't properly verified in the administrative section. This can be exploited by providing a valid login, and javascript code in the variable. The code will be executed in a user's browser session in context of an affected site. PoC: http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]&act=login&code=login-complete This could be exploited to steal cookie information. 2. Input passed to the "ACP Notes" textarea field in the administrative section isn't properly verified. This can be exploited to insert javascript code in the notes. The code will be executed in a user's browser session in context of an affected site. PoC: </textarea>'"/><script>alert(document.cookie)</script> 3. Input passed to the "Member's Log In User Name", "Member's Display Name", "Email Address contains...", "IP Address contains...", "AIM name contains...", "ICQ Number contains...", "Yahoo! Identity contains...", "Signature contains...", "Less than n posts", "Registered Between (MM-DD-YYYY)", "Last Post Between (MM-DD-YYYY)" and "Last Active Between (MM-DD-YYYY)" members profiles parameters in the administrative section isn't properly verified. This can be exploited to insert javascript code. 4. Non-permanent XSS: http://localhost/2p1p0b3/upload/admin.php?adsess=[id]§ion=content&act=forum&code=new&name=[xss] 5. Non-permanent XSS after administrative login: http://localhost/2p1p0b3/upload/admin.php?name=[xss]&description=[xss] 6. Input passed to the "description" field of a "Component" in the "Components" section of the administrative section isn't properly verified. This can be exploited to insert javascript code. PoC: </textarea>'"/><script>alert()</script> 7. Input passed to the "Member Name", "Password", "Email Address" fields of a new member's profile in the administrative section isn't properly verified. This can be exploited to insert javascript code. 8. Input passed to the "Group Icon Image" field of a new Group in the administrative section isn't properly verified. This can be exploited to insert javascript code. 9. Input passed to the "Calendar: Title" of a new Calendar in the administrative section isn't properly verified. This can be exploited to insert javascript code. Benji Team RedKod http://www.redkod.org/ ******************************************************************************* Regards, /JA http://www.securinfos.info
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature