ipb304-xss.txt
Posted on 10 December 2009
[+] Invision Power Board XSS vulnerability Software : Invision Power Board (IPB) Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well) Remote : Yes Required : Internet Explorer +5.0 Vendor : http://www.invisionpower.com/ Download : Commercially available Author : Xacker Contact : N/A Blog : http://xacker.wordpress.com Website : N/A [+] Technical details IP.Board is prone to XSS attacks through maliciously crafted *.txt files attachments. An attacker has to convince a user to view the malicious file in order to run the evil code. The only browser found affected is Internet Explorer +5.0, other browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or simply blindly?) IP.Board v2.x set the MIME-type of *.txt files to (application/x-dirview). If the *.txt file contains JavaScript/HTML it will simply be parsed on IE +5. IP.Board v3.0.4 (and prior) seems to check the content of the files before permitting them, tags like "<body> , <script> , etc.." are flagged *dangerous* any file containing any of them simply fail to be uploaded. The filter itself is weak, to escape it I provide a proof-of-concept code below. [+] Exploit --------------------------------->8--------------------------------- <span onmouseover="javascript:alert('XSS');function fakeLoginPage(){...}">move your mouse pointer here</span> ---------------------------------8<--------------------------------- fakeLoginPage() function can be used to rewrite the whole page, faking a login page through an embedded iframe. [+] Fix Simply change MIME-type of *.txt files (and any other similar formats) to (text/plain). [+] Note IP.Board technical staff has been notified of the issue and a fix has been released couple of days ago: http://community.invisionpower.com/topic/300051-invision-power-board-305-released/
