Invision Vulnerabilities, including remote code execution Apr 25 2006 04:06PM
spam we11er co uk
Several Invision Flaws (2.1.5 and possibly earlier)
IceShaman & Wells

1) Code execution

sources/action_public/search.php line 1261
$this->output = preg_replace( "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1 selected='selected'",
$this->output );

The input string is not properly sanitized which can lead to arbitrary code execution.
Example exploit:

- Post in a forum with "eval(die()); //" somewhere in the body of the post
- Use the search form to find text die just by your username (so only one result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return
- The code should have been executed

The lastdate string alters the regex to accept anything inside eval() and parse it as code, as
an #e modifier is added and then %00 used which will be parsed as a null byte and truncate
the string thus removing the original )#i part.

Due to selected='selected' also being executed as php code a space and // has to be used to turn
the text into a comment so it will be ignored by PHP.

As you can see this is just the beginning. You can upload an avatar with php code somewhere in it
and changed the above example to include() it thus running as much PHP code as you like. On default
PHP setups you can also include() remote files.

2) Remote file inclusion (requires admin)

sources/action_admin/paysubscriptions.php line 282
$gateway = trim( $this->ipsclass->input['name'] );

The input string is not properly sanitized and can be used to transverse directories in
this later include on line 307:
require_once( ROOT_PATH . 'sources/classes/paymentgateways/class_gw_'.$gateway.'.php' );

This code may look safe as the prefix to the file is hardcoded, unfortunately the backspace
character may be used to remove this prefix thus allowing ../../ combinations to execute code
from any file ending in .php.

Example: http://host/admin.php?adsess=...&section=content&act=msubs&code=install-

The above is a simple POC which installs the 'test' gateway. %08 will be
parsed as the backspace character, 9 of them are required to remove 'class_gw_'.

Where as this is not a serious threat, someone with access to the system (shared server,
with a /tmp directory?) who happened to gain/have access to the admin panel would
be able to use this to run arbitrary code on the server in the correct circumstances.

3) SQL Injection (limited use)

sources/lib/func_taskmanager.php line 70
$this->cron_key = substr( trim(stripslashes($_REQUEST['ck'])), 0, 32 );

The input from 'ck' is not sanitized which could lead to an SQL Injection (limited to 32 characters)
on line 113: 'where' => "task_cronkey='".$this->cron_key."'",

Example: http://www.host.com/index.php?act=task&ck='

Although this is limited to 32 characters, it still may pose a risk in certain circumstances.

Flaws researched by IceShaman and Wells
Flaw #1 was first discovered by "securicore" security group and used to exploit my forums. This led
to me doing a quick audit of the code to find it (it goes without saying that I succeeded).

- IceShaman

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus