[41081] in bugtraq
Invision Power Board 2.1 : Multiple XSS Vulnerabilities
daemon@ATHENA.MIT.EDU (Jerome Athias)
Mon Nov 7 19:16:28 2005
Message-ID: <436DC51A.3040607@free.fr>
Date: Sun, 06 Nov 2005 09:55:54 +0100
From: Jerome Athias <jerome.athias@free.fr>
MIME-Version: 1.0
To: benjilenoob@hotmail.com
Cc: bugtraq@securityfocus.com
In-Reply-To: <20051104213536.16465.qmail@securityfocus.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020200090808060802090000"
This is a cryptographically signed message in MIME format.
--------------ms020200090808060802090000
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Fast translation of benji's advisory
*******************************************************************************
Author : benjilenoob
WebSite : http://benji.redkod.org/ and http://www.redkod.org/
Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf
Product : Invision power board
Version : 2.1
Tisk : Low. XSS
I- XSS non critical:
--------------------
1. Input passed to the $address variable isn't properly verified in
the administrative section.
This can be exploited by providing a valid login, and javascript
code in the variable.
The code will be executed in a user's browser session in context of
an affected site.
PoC:
http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]&act=login&code=login-complete
This could be exploited to steal cookie information.
2. Input passed to the "ACP Notes" textarea field in the administrative
section isn't properly verified.
This can be exploited to insert javascript code in the notes.
The code will be executed in a user's browser session in context of
an affected site.
PoC:
</textarea>'"/><script>alert(document.cookie)</script>
3. Input passed to the "Member's Log In User Name", "Member's Display
Name", "Email Address contains...", "IP Address contains...",
"AIM name contains...", "ICQ Number contains...", "Yahoo! Identity
contains...", "Signature contains...",
"Less than n posts", "Registered Between (MM-DD-YYYY)", "Last Post
Between (MM-DD-YYYY)" and
"Last Active Between (MM-DD-YYYY)" members profiles parameters in the
administrative section isn't properly verified.
This can be exploited to insert javascript code.
4. Non-permanent XSS:
http://localhost/2p1p0b3/upload/admin.php?adsess=[id]§ion=content&act=forum&code=new&name=[xss]
5. Non-permanent XSS after administrative login:
http://localhost/2p1p0b3/upload/admin.php?name=[xss]&description=[xss]
6. Input passed to the "description" field of a "Component" in the
"Components" section of the administrative section isn't properly verified.
This can be exploited to insert javascript code.
PoC:
</textarea>'"/><script>alert()</script>
7. Input passed to the "Member Name", "Password", "Email Address" fields
of a new member's profile in the administrative section isn't properly
verified.
This can be exploited to insert javascript code.
8. Input passed to the "Group Icon Image" field of a new Group in the
administrative section isn't properly verified.
This can be exploited to insert javascript code.
9. Input passed to the "Calendar: Title" of a new Calendar in the
administrative section isn't properly verified.
This can be exploited to insert javascript code.
Benji
Team RedKod
http://www.redkod.org/
*******************************************************************************
Regards,
/JA
http://www.securinfos.info
--------------ms020200090808060802090000
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPxDCC
BMgwggQxoAMCAQICBAIAApswDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNV
BAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw0w
MjA4MjcxOTA3MDBaFw0wNjAyMjMyMzU5MDBaMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UEChMO
Q29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYDVQQL
Ez1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5ldC9y
ZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQDEyND
b21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALEeYGbgQwaeJ2gvApnHiN+F69tl7NRJZ3ouH83cFSzWHqzynUY6XQPA
PQUsWhgNWSVCo3LArSjSrTwx4ksH+16Y66gz1mmyWp7qLEmmJi5M8MyrQNKq3ixOgbW6e7hc
0Hu9R/XABtLA5NdH22JAr6EcUQMY27jQu5THPHnqJWSuJhnhPGZHZ5Kde1WrNMJ1btknjp2M
8B3aa5yGBKKQteqdjM/7OUOo8BgtnvcZECycL+HQsf/XWcTNQDL514HbURzyQVKBQbGDuMgJ
/pkiR4BPnMuu4CjVHKxwR7Alq6E4Qhdr+mpujV95+PYpAzCkbkbUhV2qQJk4dtseAX3lDKUC
AwEAAaOCAacwggGjMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0
LmNvbS9jZ2ktYmluL0NSTC8yMDA2L2NkcC5jcmwwHQYDVR0OBBYEFPZSIhcVEwgDWb8YlZ9I
tLnp/vhmMIGSBgNVHSAEgYowgYcwSQYKKoZIhvhjAQIBBTA7MDkGCCsGAQUFBwIBFi1odHRw
Oi8vd3d3LnB1YmxpYy10cnVzdC5jb20vQ1BTL09tbmlSb290Lmh0bWwwOgYMKwYBBAGyMQEC
AQMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1AwWAYDVR0j
BFEwT6FJpEcwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoG
A1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdIICAaMwKwYDVR0QBCQwIoAPMjAwMjA4MjcxOTA3
MzFagQ8yMDA1MDIyMzIzNTkwMFowDgYDVR0PAQH/BAQDAgHmMA8GA1UdEwQIMAYBAf8CAQAw
DQYJKoZIhvcNAQEFBQADgYEAtqewenGL4LqzgR42MnqGGNbxq005CHEGWmegSwHlMEBtibWe
Faqxx/QKxlwO6TfeqJfH3M7Ncft0AgfcXxUnCFMHdtS5BunCd1AeysmwwkaBgACtRKpc1iDZ
VTK+Vpbx6r2g47wNgDrqzPuaV+14pTY9VurR53TKNMPPsVHp4AwwggV4MIIEYKADAgECAhBY
CXfhRHXSR7F9sCWYMtgnMA0GCSqGSIb3DQEBBQUAMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UE
ChMOQ29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYD
VQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5l
dC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQD
EyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTAeFw0wNDExMjMwMDAwMDBa
Fw0wNTExMjMyMzU5NTlaMIHeMTUwMwYDVQQLEyxDb21vZG8gVHJ1c3QgTmV0d29yayAtIFBF
UlNPTkEgTk9UIFZBTElEQVRFRDFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2Yg
dXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAw
MyBDb21vZG8gTGltaXRlZDEWMBQGA1UEAxMNSmVyb21lIEFUSElBUzEkMCIGCSqGSIb3DQEJ
ARYVamVyb21lLmF0aGlhc0BmcmVlLmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDe
FVK5Ypmig424i0AwOHJUnSyJA52O+tSBoX0eNdQGxRxz/uA7wbzoEwWbUiiWVvQW2mrPcGEC
lgf+2zzD+CR0maX2QqIQvbuQxITOFdw8H6fKFq1axb8SZw7SOsXz2kyd2yp9SDXq6VlpQalg
lfwUG2xj8lDtAorSATFBXeF21QIDAQABo4IBtDCCAbAwHwYDVR0jBBgwFoAU9lIiFxUTCANZ
vxiVn0i0uen++GYwHQYDVR0OBBYEFOKQ5NfIrYBdMgWLKQXwMkJc/WLHMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDA6oDigNoY0aHR0cDovL2NybC5j
b21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDAtoCugKYEnQ2xhc3Mz
U2VjdXJpdHlTZXJ2aWNlc18yQGNybC5jb21vZG8ubmV0MBEGCWCGSAGG+EIBAQQEAwIFIDAg
BgNVHREEGTAXgRVqZXJvbWUuYXRoaWFzQGZyZWUuZnIwDQYJKoZIhvcNAQEFBQADggEBAH+w
UOqihz0rhfJQoMag9qrpaMyZ/iW+vuOUafk+9AfmVnAIPPFaftQhcppuQMvDdCZwf7+X9J4P
W3KLjGq05ZfJubwSX2u44h706HMEl8g5GXVF0ZcTiH+MczW/btfFHuLNwSJPs+cij21ljmOX
AL/a4v4dSEW5yKxRsQ8yOP6X4/+73LXhKUWVDN7/uuSyIXTYHZwb/Uy3Re7w7UlSc9kb2QPU
eEPDmXH6dO75ekBkjdrIz0pAaO54hTGQTSbVKaUuvQIPb3c4UqnPMbhcchMLbeo7S1OjDwPF
pxPpNvLSyidMdwW6nthV3QY72EpKcrszEIaiUP9kJynKGZkU/TQwggV4MIIEYKADAgECAhBY
CXfhRHXSR7F9sCWYMtgnMA0GCSqGSIb3DQEBBQUAMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UE
ChMOQ29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYD
VQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5l
dC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQD
EyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTAeFw0wNDExMjMwMDAwMDBa
Fw0wNTExMjMyMzU5NTlaMIHeMTUwMwYDVQQLEyxDb21vZG8gVHJ1c3QgTmV0d29yayAtIFBF
UlNPTkEgTk9UIFZBTElEQVRFRDFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2Yg
dXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAw
MyBDb21vZG8gTGltaXRlZDEWMBQGA1UEAxMNSmVyb21lIEFUSElBUzEkMCIGCSqGSIb3DQEJ
ARYVamVyb21lLmF0aGlhc0BmcmVlLmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDe
FVK5Ypmig424i0AwOHJUnSyJA52O+tSBoX0eNdQGxRxz/uA7wbzoEwWbUiiWVvQW2mrPcGEC
lgf+2zzD+CR0maX2QqIQvbuQxITOFdw8H6fKFq1axb8SZw7SOsXz2kyd2yp9SDXq6VlpQalg
lfwUG2xj8lDtAorSATFBXeF21QIDAQABo4IBtDCCAbAwHwYDVR0jBBgwFoAU9lIiFxUTCANZ
vxiVn0i0uen++GYwHQYDVR0OBBYEFOKQ5NfIrYBdMgWLKQXwMkJc/WLHMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDA6oDigNoY0aHR0cDovL2NybC5j
b21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDAtoCugKYEnQ2xhc3Mz
U2VjdXJpdHlTZXJ2aWNlc18yQGNybC5jb21vZG8ubmV0MBEGCWCGSAGG+EIBAQQEAwIFIDAg
BgNVHREEGTAXgRVqZXJvbWUuYXRoaWFzQGZyZWUuZnIwDQYJKoZIhvcNAQEFBQADggEBAH+w
UOqihz0rhfJQoMag9qrpaMyZ/iW+vuOUafk+9AfmVnAIPPFaftQhcppuQMvDdCZwf7+X9J4P
W3KLjGq05ZfJubwSX2u44h706HMEl8g5GXVF0ZcTiH+MczW/btfFHuLNwSJPs+cij21ljmOX
AL/a4v4dSEW5yKxRsQ8yOP6X4/+73LXhKUWVDN7/uuSyIXTYHZwb/Uy3Re7w7UlSc9kb2QPU
eEPDmXH6dO75ekBkjdrIz0pAaO54hTGQTSbVKaUuvQIPb3c4UqnPMbhcchMLbeo7S1OjDwPF
pxPpNvLSyidMdwW6nthV3QY72EpKcrszEIaiUP9kJynKGZkU/TQxggRbMIIEVwIBATCB8TCB
3DELMAkGA1UEBhMCR0IxFzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVkMR0wGwYDVQQLExRDb21v
ZG8gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2YgdXNl
OiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAwMiBD
b21vZG8gTGltaXRlZDEsMCoGA1UEAxMjQ29tb2RvIENsYXNzIDMgU2VjdXJpdHkgU2Vydmlj
ZXMgQ0ECEFgJd+FEddJHsX2wJZgy2CcwCQYFKw4DAhoFAKCCAr8wGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMTA2MDg1NTU1WjAjBgkqhkiG9w0BCQQx
FgQUs1LNoNTygpktbH3Z47f9Srt5yvQwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw
ggECBgkrBgEEAYI3EAQxgfQwgfEwgdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8g
TGltaXRlZDEdMBsGA1UECxMUQ29tb2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1z
IGFuZCBDb25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRv
cnkxHzAdBgNVBAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBD
bGFzcyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBAhBYCXfhRHXSR7F9sCWYMtgnMIIBBAYLKoZI
hvcNAQkQAgsxgfSggfEwgdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRl
ZDEdMBsGA1UECxMUQ29tb2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBD
b25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAd
BgNVBAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFzcyAz
IFNlY3VyaXR5IFNlcnZpY2VzIENBAhBYCXfhRHXSR7F9sCWYMtgnMA0GCSqGSIb3DQEBAQUA
BIGAKef7/QK1nPHlZPId8RDtdtGDWeNeyGfo8UYpyE2jBOwKizWHUDKkTVC+qQ+LxMExMR1t
Og2V8EXSjbYibO55E6EXamBzs1U3sKRkF4dp/gE6Do0ZyPA/1oDkCSuz8saKSs6l33XgG72a
tiagmpKJmK5KnNhXn/D596euH4vRFucAAAAAAAA=
--------------ms020200090808060802090000--
