PDA

Bekijk Volledige Versie : Two Invision Power Board 1.1.x vulns



Gossi The Dog
05/04/03, 22:50
Hola,

Invision Power Services have continued to show their amazing support and
understanding for the security community by release two patches for
their 'Invision Power Board' product (now one of the most widely used
'Board' programs around).

Without sending out any security mailing list announcements.

The first patch is available here:
http://forums.invisionpower.com/index.php?act=ST&f=1&t=51540

Apparently it effects you if your PHP installation is running with
register_globals set to on.

There is no information as to where the problem lies, or the scope of
the problem. Or the impact. Additionally they thank people for not
reporting the issue to "help" sites like bugtraq, which is another
quality show of support for the security industry. I guess they don't
like disclosure.

Second patch is here:
http://forums.invisionpower.com/index.php?act=ST&f=1&t=55976

Again, no information what so ever. No scope. No impact. Infact
"Obviously I'm not going to go into detail to protect your boards, but
the security update is very easy to apply.". That's fine, then!


Interesting fact about both updates:

* they don't increase the version number of Invision Board
* they've both been integrated into the existing version of the software
installer
* this means the only way to know if you are patch is by date of when
you installed. Do you remember?
* No MD5sums for either patch.

The 2nd patch I have investigated.

The update file is functions.php. Line 577 is commented out;

//$ibforums->input['skinid'] =
intval($ibforums->input['skinid']);

Line 601

$id = $ibforums->input['skinid'];

Changes to;

$id = intval($ibforums->input['skinid']);

The vuln appears to be the fact that the skinid wasn't being converted
to an integer (it is one normally), and as such I *think* you can inject
SQL code, reading the source.

Invision Power Services - PLEASE - read bugtraq. Find out how vulns are
disclosed, how the impact and severity is descibed to customers.
Seriously. If Microsoft at least make an attempt at it, that's saying
something.

It's like the company tries to secure there customers software by hoping
nobody finds out vulns. It's a PHP program. Of course they do. They
get misused. The customers get peeved.

Set up a security mailing list for your customers to subscribe to.
Email bugtraq, and the other security mailing lists when a problem is
found, briefly describing the problem and it's potential impact.

Distribute security updates with MD5sums so we know they can be trusted.
Give us a way to know if *OUR* boards are patched. Include an Internal
version number in the Admin Control Panel for the product so the admins
can check.

Regards,
Gossi.