Invision Power Board < =3.4.1 persistent XSS (BBCode)

2013.03.04

Credit: Infern0_

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Author: Infern0_
# Contact: balut2@o2.pl
# Vendor: http://www.invisionpower.com
# Vulnerability: Persistent XSS
# Vendor informated at: 6 February 2013
# Solution: Disable possibility to use HTML in posts - in administrator panel. Default disabled in v.3.4.2 of IP.B, and code in quote tag is sanitized.

IP.B v3.4.1 is already a stable version of this software.

To reproduce this issue follow this steps(Sometimes you won't have to be logged in. It depend on forum preferences, because someone accept to write post for quests):
1.Go to some topic to add a post.
2. Click in BBCode icon to turn it on(enable that) and write this:
[quote name="<script>alert(document.cookie)</script>"]
Doesn't matter what here, for best something conrete to deceive another users
[quote]
3. Accept this post to send, and voila - here it is. Our persistent XSS.

As you can see vulnerable is variable 'name' in quote tag. You can enter there whatever you want to.

References:

http://www.invisionpower.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Invision Power Board < =3.4.1 persistent XSS (BBCode)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.