Bugtraq mailing list archives
Invision Board spoof and defacement
From: Daniel Boland <DCBoland () blueyonder co uk>
Date: 4 Aug 2003 00:29:46 -0000
-INTRO- All versions of Invisions Board have a flaw in their input filtering that allows an attacker to completely mess up Invision's display and in one case I managed to change the URL of some of the forums links, which could be used to refer users to fake login sites to collect passwords etc. -VENDOR STATUS- The vendor hasn't been notified because of their handling of previous vulnerabilties I found in Invision Board, instead I wrote a patch myself. -EXPLANATION- The problem is with the IBF tags used to enhance forum posts, for example [IMG]www.example.com/some.gif[/IMG] would be parsed into HTML code to include an image in the post. When two tags overlap i.e. [QUOTE]bla [IMG]http://www.example.com/some.gif[/QUOTE]some.gif[/IMG] the first tag's closing HTML code ends up inside the image's source string, meaning that the 'quote' never gets closed. This would lead to the rest of the document being included as a quote inside the attacker's post. So far this leads to defacement but nothing major, however a slight variation of the above would be: [IMG]http://www.example.com/some.gif[QUOTE]some.gif[/IMG] [/QUOTE] now instead of not closing a quote, we close a quote without opening it; thus 'escaping' out of our post area where we can spoof forum links. -PATCH- A patch for this is simple, just add code to the [IMG] parser function to watch out for the following symbols: <>[] Your forum may have more vulnerable tags because of mods you've used, and I suspect the [EMAIL] tag is vulnerable too - but that would be more of the same and the following code could be changed to fix that too. Paste this into /sources/lib/post_parser.php in the regex_check_image function, just after the max_images check (that's line 1214 on version 1.2): // Check if previous tag has left HTML inside this one or if there's another tag in here (just in case) ~ Daniel Boland if (preg_match( "/[\<\>\[\]]/", $url)) { $this->error = 'poss_hack_attempt'; return $default; } -------------- ~Daniel Boland
![http://www.example.com/some.gif[/QUOTE]some.gif[/IMG](http://www.example.com/some.gif[/QUOTE]some.gif[/IMG){kind=link}
![http://www.example.com/some.gif[QUOTE]some.gif[/IMG](http://www.example.com/some.gif[QUOTE]some.gif[/IMG){kind=link}
Current thread:
- Invision Board spoof and defacement Daniel Boland (Aug 04)
- <Possible follow-ups>
- Re: Invision Board spoof and defacement matt (Aug 05)