Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: bt807.txt

Invision Board spoof and defacement







-INTRO-

All versions of Invisions Board have a flaw in their

input filtering that allows an attacker to completely

mess up Invision's display and in one case I managed to

change the URL of some of the forums links, which could

be used to refer users to fake login sites to collect

passwords etc.



-VENDOR STATUS-

The vendor hasn't been notified because of their

handling of previous vulnerabilties I found in Invision

Board, instead I wrote a patch myself.



-EXPLANATION-

The problem is with the IBF tags used to enhance forum

posts, for example [IMG]www.example.com/some.gif[/IMG]

would be parsed into HTML code to include an image in

the post. When two tags overlap i.e. [QUOTE]bla

[IMG]http://www.example.com/some.gif[/QUOTE]some.gif[/IMG]

the first tag's closing HTML code ends up inside the

image's source string, meaning that the 'quote' never

gets closed. This would lead to the rest of the

document being included as a quote inside the

attacker's post. So far this leads to defacement but

nothing major, however a slight variation of the above

would be:

[IMG]http://www.example.com/some.gif[QUOTE]some.gif[/IMG]

[/QUOTE]

now instead of not closing a quote, we close a quote

without opening it; thus 'escaping' out of our post

area where we can spoof forum links.



-PATCH-

A patch for this is simple, just add code to the [IMG]

parser function to watch out for the following symbols:

<>[]

Your forum may have more vulnerable tags because of

mods you've used, and I suspect the [EMAIL] tag is

vulnerable too - but that would be more of the same and

the following code could be changed to fix that too.

Paste this into /sources/lib/post_parser.php in the

regex_check_image function, just after the max_images

check (that's line 1214 on version 1.2):



	// Check if previous tag has left HTML inside this one

or if there's another tag in here (just in case) ~

Daniel Boland



	if (preg_match( "/[\<\>\[\]]/", $url))

	{

		$this->error = 'poss_hack_attempt';

		return $default;

	}



--------------

~Daniel Boland


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH