11 replies to this topic

[Angel]

Q:Is this really general hacking?
A:Of course! But feel free to move this if you think otherwise, mods.

Q:So you edited your profile to say you were 'leet'? Isn't that kind of sophomoric?
A:Yar, probably. But I couldn't think of any better number off the top of my head, and "666" seemed dumb.

Q:Ok, so I assume there's a flaw in the website?
A:Well, many; nothing is a hundred percent secure. Stank and crew do a good job of locking things down, this isn't like a dig at the staff or nothin'.

Q:Would you like to tell us?
A:Sure thing! I'll give you a hint and then put the actual code in spoiler tags so you guys can script-kiddy out your own profiles. The hint is: what user input does the forum take to calculate your age?

Spoiler

If you guessed "your birthday, which is secured by dropdownlist boxen", you are our winner. A lot of coders assume that if they put data into a dropdownlist, they don't need to sense-check it, since the server is writing the list. But it doesn't take much more than a couple of lines of javascript to add a new, unexpected option to the form:
var objOption = document.createElement("OPTION");
document.getElementById('pp_b_year').options.add(objOption);
objOption.innerText='1337';
objOption.value='670';
alert('done');
The moral of the story is - validate all user input.

Otherwise, uh ... people will add silly things to their profiles, I guess. O_o;;

As an aside - I'm attaching the image above to this post since as it's hosted at Images Hack dot us it will, in time, wither and die, confusing future graverobbers who may then attempt to ressurect this thread with dumb questions.

Have phun,

-ArchAngel

Attached Files

•  1337yearsold.PNG   5.04K   6 downloads

[I_Eat_Childrenz]

How long before this gets changed? If ever?

[Spyril]

An easier way would be just to modify the headers if you have TamperData installed in Firefox. But yeah, good find.

Edited by Spyril, 12 November 2007 - 10:33 PM.

[StankDawg]

nice find...and invision needs to be made aware of this as well so that they can issue a patch.

[Angel]

nice find...and invision needs to be made aware of this as well so that they can issue a patch.

*shrugz* I suppose. You seem to believe more in corporations than I do, my friend. ^_-.

I sent a message in via script-injecting their "Report Piracy" form, and e-mailed the technical contact listed in their WHOIS:

Date: Mon, 12 Nov 2007 20:25:45 -0900
From: ArchAngel <(Redacted)@gmail.com>
To: dnsadmin@invisionpower.com
Subject: Invision Board Bug
MIME-Version: 1.0
Content-Type: multipart/alternative;
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Just thought you may want to address a flaw in your software.

Incidentally, the same flaw can be used on your piracy reporting form to add
new options under "Piracy" - the thread linked below has the relevant code.

Effectively, your coders aren't appropriately validating the values sent in
by dropdownlists - which lets script-savvy users add their own values and
pass them to the server, where code evaluates them and executes
appropriately. With an age change, not so serious a problem, but you
probably want to remove single quotes, html, and the like just to be safe.

Here's the site link describing the bug in some detail:
http://www.binrev.co...showtopic=34727

Love,

-ArchAngel

We'll see if they respond.

-ArchAngel
(edit:reworded slightly before sending)

Edited by Angel, 13 November 2007 - 12:30 AM.

[thenotwist]

[...]but you
probably want to remove single quotes, html, and the like just to be safe.[..]

Interesting, depending on what is being done with the input that could pose quite a problem I guess...

[StankDawg]

Thanks angel...I think that is the right thing to do.

We have to give invision a chance before we judge them as a big evil "corporation". Maybe they will surprise you.

[operat0r]

I managed to get it to popup a error saying something like invalid input but other then that..
location string is huge too

Edited by operat0r, 14 November 2007 - 12:36 PM.

[DanielG]

Lol, I only used this on profile sites or cam sites like stickam, never thought to change it on forums.
TamperData ftw.

[Angel]

Thanks angel...I think that is the right thing to do.

We have to give invision a chance before we judge them as a big evil "corporation". Maybe they will surprise you.

Not to bring this old thread back from the grave, but I thought it funny that this flaw still exists in the current IP Board software -- as hinted at four years ago, this vulnerability effects client-side controls used across the software suite, and as such it allows behaviour a little more serious than things like making your age a cool number ... not sure what that says about giving big 'evil' corporations a chance. ^_-.

-ArchAngel

[serrath]

Oh jesus, I just saw the date on that... Crap.

[StankDawg]

Thanks angel...I think that is the right thing to do.

We have to give invision a chance before we judge them as a big evil "corporation". Maybe they will surprise you.

Not to bring this old thread back from the grave, but I thought it funny that this flaw still exists in the current IP Board software -- as hinted at four years ago, this vulnerability effects client-side controls used across the software suite, and as such it allows behaviour a little more serious than things like making your age a cool number ... not sure what that says about giving big 'evil' corporations a chance. ^_-.

-ArchAngel

Did anyone ever report it to them? lol

And no, I don't trust big corporations either, but at the same time you have to give everyone a chance to prove themselves. If you never give them a chance, then you are just as much at fault as they are. I also don't think that invision software is a big corporation by any means.