[+] Invision Power Board XSS vulnerability
Software : Invision Power Board (IPB)
Affected : IPB v2.x up to v3.0.4 (prior versions might be vulnerable as well)
Remote : Yes
Required : Internet Explorer +5.0
Vendor : http://www.invisionpower.com/
Download : Commercially available
Author : Xacker
Contact : N/A
[waraxe-2012-SA#086] - Local File Inclusion in Invision Power Board 3.3.0
===============================================================================
Author: Janek Vind "waraxe"
Date: 12. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-86.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2226
[MajorSecurity SA-069]Invision Power Board - stored Cross site Scripting
Details
=======
Product: Invision Power Board
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.invisionpower.com
Vendor-Status: informed
Advisory-Status: published
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
Hello Bugtraq and Xacker!
As I mentioned at my site (http://websecurity.com.ua/3762/), where I posted
about this XSS vulnerability in Invision Power Board, the fix offered by
Xacker is not effective. And better to use another method of fixing offered
by me.
Author of this advisory said, that in IPB a MIME-type application/x-dirview
is set for txt files. But at my forum (on IPB 2.2.2) for txt files a
MIME-type text/plain was set by default and the attack was worked. So
Hello Bugtraq!
I want to warn you about new vulnerabilities in Invision Power Board.
These are Cross-Site Scripting vulnerabilities. Attack is going via
attachment (at click on the attachment in the post at forum or on the link
to this attachment). These are persistent XSS vulnerabilities.
I know for a long time about possibility of attacks via swf-files. So many
years ago I turned off support of swf-files in attachments (and in avatars
[HSC] Invision Power Board D22-Shoutbox HTML Injections
D22-Shoutbox suffers from improper validation of HTMl tags filtration.
An attacker may leverage this issue to have arbitrary script code execute
in the browser of an unsuspecting user in the context of the affected site.
This may help the attacker steal cookie-based authentication credentials and
launch other attacks. A successful script could allow an attacker to compromise
the application, access or modify data, or exploit vulnerabilities in the
function mhead()
{
# Advisory: http://acid-root.new.fr/?0:18
print "\n Invision Power Board <= 2.3.5 Multiple Vulnerabilities";
print "\n ------------------------------------------------------";
print "\n\n About:";
print "\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
print "\n http://acid-root.new.fr/";
print "\n #acidroot@irc.worldnet.net";
Title: Invision Power Board <= 2.3.5
Multiple Vulnerabilities and Security Bypass
Vendor: http://www.invisionpower.com/community/board/
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2008/08/29
Changelog: 2008/08/29
----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]
INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
#######################################################
Tested On: http://www.abarjigs.com/forum/
Effected on:Invision Power Board <=2.3.x
Type:Signature With iFrame
Discovered By:CYBER.DARK.HIMU (SHAHEE_MIRZA)
Google: "style designed by Soi" or "Powered by IP.Board 2.3.1"
Mail: cyber.dark.himu@gmail.com,shaheemirza@gmail.com
#######################################################
HI TO ALL.
Subdreamer can be integrated with different forum software, so that login authentication & authorization information can be used in the CMS too.
Vulnerability description:
There are vulnerabilities in two integration modules in Subdreamer. Both Invision Power Board 2 and phpBB3 integration modules have this vulnerability.
Both bulletin board systems store browser user-agent string in the sessions table used to track currently logged in users.
The user-agent string is passed as-is from HTTP headers without any validation / escaping. This opens up a possibility for SQL Injection attacks.
