Invision Power Board & amp; lt; = 3.0.4 Local PHP Fi

 
 
========================================================== =====
-Release date: December 4th, 2009
-Discovered by: Dawid Golunski
-Severity: Moderately High
========================================================== =====
========================================================== =====
-Release date: December 4th, 2009
-Discovered by: Dawid Golunski
-Severity: Moderately High
========================================================== =====

I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File insertion sion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection

II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
Been built
From the ground up with speed and security in mind, taking advantage
Of object
Oriented code, highly-optimized SQL queries, and the fast PHP engine.
Comprehensive administration control panel is wrongly ded to help you
Keep your
Board running smoothly. Moderators will also enjoy the full range
Options
Available to them via built-in tools and moderators control panel.
Members
Will appreciate the ability to subscribe to topics, send private
Messages, and
Perform a host of other options through the user control panel.

III. INTRODUCTION
-------------------------
For a good understanding of the vulnerabilities it is necessary to be
Familiar
With the way IPB handles input data. Below is a quick trace of input
Validation process. The code snippets come from IPB version 3.0.4.

Line | file: admin/sources/base/ipsRegistry. php
352 | static public function init ()
353 | {
... |
... |
462 | IPSLib: cleanGlobals ($ _ GET );
463 | IPSLib: cleanGlobals ($ _ POST );
464 | IPSLib: cleanGlobals ($ _ COOKIE );
465 | IPSLib: cleanGlobals ($ _ REQUEST );
466 |
467 | # GET first
468 | $ input = IPSLib: parseIncomingRecursively ($ _ GET, array ());
469 |
470 | # Then overwrite with POST
471 | self ::$ request = IPSLib: parseIncomingRecursively ($ _ POST,
$ Input );
... |

The init () function cleans the input data passed via methods like GET,
POST or
Others at the start of each request to the forum before any of the input
Variables are processed.

Lets look into sanitization completed MED by cleanGlobals function:

Line | file: admin/sources/base/core. php
1644 | static public function cleanGlobals (& $ data, $ iteration = 0)
1645 | {
... |
1654 | foreach ($ data as $ k => $ v)
1655 | {
1656 | if (is_array ($ v ))
1657 | {
1658 | self: cleanGlobals ($ data [$ k], ++
$ Iteration );
1659 |}
1660 | else
1661 | {
1662 | # Null byte characters
1663 | $ v = str_replace (chr (0), $ v );
1664 | $ v = str_replace ("", $ v );
1665 | $ v = str_replace ("x00", $ v );
1666 | $ v = str_replace (% 00, $ v );
1667 |
1668 | # File traversal
1669 | $ v = str_replace ("../","../",
$ V );
1670 |
1671 | $ data [$ k] = $ v;
1672 |}
1673 |}
1674 |}

As we can see the function removes null characters and "../" sequences
From
Incoming data to prevent unwanted file Transfer Sion.

The next function that affects the input is:

Line | file: admin/sources/base/core. php
1573 | static public function parseIncomingRecursively (& $ data,
$ Input = array (), $ iteration = 0)
1574 | {
... |
1583 | foreach ($ data as $ k => $ v)
1584 | {
1585 | if (is_array ($ v ))
1586 | {
1587 | $ input [$ k] =
Self: parseIncomingRecursively ($ data [$ k], array (), ++ $ iteration );
1588 |}
1589 | else
1590 | {
1591 | $ k = IPSText: parseCleanKey ($ k );
1592 | $ v = IPSText: parseCleanValue ($ v,
False );
1593 |
1594 | $ input [$ k] = $ v;
1595 |}
1596 |}
1597 |
1598 | return $ input;
1599 |}

The purpose of this function is to clean the key/value pairs of an array
Passed to it with help of the parseCleanKey and parseCleanValue
Functions.
First one can be skipped as neither of the attacks described later on
Require
Special characters inside variable names. The other looks as follows:

Line | file: admin/sources/base/core. php
4100 | static public function parseCleanValue ($ val, $ postParse = true)
4101 | {
4102 | if ($ val = "")
4103 | {
4104 | return "";
4105 |}
4106 |
4107 | $ val = str_replace ("","",
IPSText: stripslashes ($ val ));
4108 |
4109 | # Convert all carriage return combos
4110 | $ val = str_replace (array ("","",""),"",
$ Val );
4111 |
4112 | $ val = str_replace ("&", "&", $ val );
4113 | $ val = str_replace ("<! -- "," <! -- ", $ Val );
4114 | $ val = str_replace ("-->", "-->", $ val );
4115 | $ val = str_ireplace ("<script", "<script", $ val );
4116 | $ val = str_replace (">", ">", $ val );
4117 | $ val = str_replace ("<", "<", $ val );
4118 | $ val = str_replace ("," ", $ val );
4119 | $ val = str_replace ("", "<br/>", $ val); // Convert
Literal newlines
4120 | $ val = str_replace ("$", "$", $ val );
4121 | $ val = str_replace ("! ","! ", $ Val );
4122 | $ val = str_replace ("", "", $ val); // IMPORTANT: It
Helps to increase SQL query safety.
4123 |
4124 | if (IPS_ALLOW_UNICODE)
... |

The function cleans input data from characters used typically in XSS
And SQL
Attacks.

The resulting array containing sanitized input data from GET/POST
Methods
Is stored in ipsRegistry: $ request array (as we can see on the first
Code
Listing ).

IV. local file compression sion VULNERABILITY
-------------------------

1. Description.

It is possible to include an arbitrary php file stored on the server
In any
Location (accessible by the php/web server process) by exploiting
Following code of IPB 3.0.4:

Line | file: admin/sources/base/ipsController. php
142 | public function getCommand (ipsRegistry $ registry)
143 | {
144 | $ _ NOW = IPSDebug: getMemoryDebugFlag ();
145 |
146 | $ module = ipsRegistry: $ current_module;
147 | $ section = ipsRegistry: $ current_section;
148 | $ filepath = IPSLib: getAppDir (IPS_APP_COMPONENT ).
/. Self: $ modules_dir./. $ module ./;
149 |
150 |/* Got a section? */
151 | if (! $ Section)
152 | {
153 | if (file_exists ($ filepath.
DefaultSection. php ))
154 | {
155 | $ DEFAULT_SECTION =;
156 | require ($ filepath.
DefaultSection. php );
157 |
158 | if ($ DEFAULT_SECTION)
159 | {
160 | $ section = $ DEFAULT_SECTION;
161 |}
162 |}
163 |}
164 |
165 | $ classname = self: $ class_dir ._.
IPS_APP_COMPONENT. _. $ module. _. $ section;
166 |
167 | if (file_exists ($ filepath. manualResolver. php ))
168 | {
169 | require_once ($ filepath. manualResolver. php );
170 | $ classname = self: $ class_dir ._.
IPS_APP_COMPONENT. _. $ module. _ manualResolver;
171 |}
172 | else if (file_exists ($ filepath. $ section.. php ))
173 | {
174 | require_once ($ filepath. $ section.. php );
175 |}
... |

The require_once function on line 174 uses a variable $ section
Create
Path to a php file that is to be encoded. The variable is assigned
Following value:

Line | file: admin/sources/base/ipsRegistry. php
1654 | ipsRegistry: $ current_section = (ipsRegistry ::
$ Request [section])? IpsRegistry: $ request [section]:;

Which as we know from the introduction comes from a user supplied
Variable
(Via GET or POST method ).

Although the whole $ request array has been filtered out to prevent
Directory
Traversal and arbitrary file compression sion it is possible to evade these
Measures due to a bug in a function implem