bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
43 lines
No EOL
2.5 KiB
Text
43 lines
No EOL
2.5 KiB
Text
IP.Board Design Error
|
|
|
|
Vendor: Invision Power Services
|
|
Product: IP.Board
|
|
Version: <= 1.3.1
|
|
Website: http://www.invisionpower.com/
|
|
|
|
BID: 10559
|
|
|
|
Description:
|
|
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world.
|
|
|
|
IP Spoofing Vulnerability:
|
|
There lies a vulnerability in all version of Invision Power Board that allow a user to spoof his/her IP address by creating a bogus X_FORWARDED_FOR HTTP Header entry. This condition can also be caused by a user unknowingly if they use a proxy to access the internet. For example, private LAN based IP's will be logged which are impossible to trace. Below we see a snip of the vulnerable code taken from the file sources/functions.php @ line 1440
|
|
|
|
//----------------------------------------
|
|
// Sort out the accessing IP
|
|
// (Thanks to Cosmos and schickb)
|
|
//----------------------------------------
|
|
|
|
$addrs = array();
|
|
|
|
foreach( array_reverse( explode( ',', $HTTP_X_FORWARDED_FOR ) ) as $x_f )
|
|
{
|
|
$x_f = trim($x_f);
|
|
|
|
if ( preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $x_f ) )
|
|
{
|
|
$addrs[] = $x_f;
|
|
}
|
|
}
|
|
|
|
$addrs[] = $_SERVER['REMOTE_ADDR'];
|
|
$addrs[] = $HTTP_PROXY_USER;
|
|
$addrs[] = $REMOTE_ADDR;
|
|
|
|
So, basically if the X_FORWARDED_FOR header entry is present it ignores everything else? Seems to be the case. Not a good idea at all. This vulnerabilty makes the IP logging feature of IPB totally useless. Also, IP's are used in the sessions, as one of the ways to uniquely identiofy a user. For example, if you take your admin session ID (adsess) and then use it from a different IP than the one the session was created with you get an error message that the IP is not yours etc etc. So, as you can see this issue could probably cause alot more problems than meets the eye.
|
|
|
|
Solution:
|
|
Until there is an official fix I just commented out the foreach loop shown in the previous code snippet. It's not a pretty solution but works for now.
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team. |