Invision Board spoof and defacement

From: Daniel Boland (DCBolandat_private)
Date: Sun Aug 03 2003 - 17:29:46 PDT

Next message: Przemyslaw Frasunek: "Re: wu-ftpd fb_realpath() off-by-one bug"

Previous message: Mandrake Linux Security Team: "MDKSA-2003:082 - Updated php packages fix vulnerabilities"
Next in thread: mattat_private: "Re: Invision Board spoof and defacement"
Reply: mattat_private: "Re: Invision Board spoof and defacement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) -INTRO- All versions of Invisions Board have a flaw in their input filtering that allows an attacker to completely mess up Invision's display and in one case I managed to change the URL of some of the forums links, which could be used to refer users to fake login sites to collect passwords etc. -VENDOR STATUS- The vendor hasn't been notified because of their handling of previous vulnerabilties I found in Invision Board, instead I wrote a patch myself. -EXPLANATION- The problem is with the IBF tags used to enhance forum posts, for example [IMG]www.example.com/some.gif[/IMG] would be parsed into HTML code to include an image in the post. When two tags overlap i.e. [QUOTE]bla [IMG]http://www.example.com/some.gif[/QUOTE]some.gif[/IMG] the first tag's closing HTML code ends up inside the image's source string, meaning that the 'quote' never gets closed. This would lead to the rest of the document being included as a quote inside the attacker's post. So far this leads to defacement but nothing major, however a slight variation of the above would be: [IMG]http://www.example.com/some.gif[QUOTE]some.gif[/IMG] [/QUOTE] now instead of not closing a quote, we close a quote without opening it; thus 'escaping' out of our post area where we can spoof forum links. -PATCH- A patch for this is simple, just add code to the [IMG] parser function to watch out for the following symbols: <>[] Your forum may have more vulnerable tags because of mods you've used, and I suspect the [EMAIL] tag is vulnerable too - but that would be more of the same and the following code could be changed to fix that too. Paste this into /sources/lib/post_parser.php in the regex_check_image function, just after the max_images check (that's line 1214 on version 1.2): // Check if previous tag has left HTML inside this one or if there's another tag in here (just in case) ~ Daniel Boland if (preg_match( "/[\<\>\[\]]/", $url)) { $this->error = 'poss_hack_attempt'; return $default; } -------------- ~Daniel Boland

Next message: Przemyslaw Frasunek: "Re: wu-ftpd fb_realpath() off-by-one bug"
Previous message: Mandrake Linux Security Team: "MDKSA-2003:082 - Updated php packages fix vulnerabilities"
Next in thread: mattat_private: "Re: Invision Board spoof and defacement"
Reply: mattat_private: "Re: Invision Board spoof and defacement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 10:58:46 PDT