Hello Bugtraq!

I want to warn you about new vulnerabilities in Invision Power Board.

These are Cross-Site Scripting vulnerabilities. Attack is going via 
attachment (at click on the attachment in the post at forum or on the link 
to this attachment). These are persistent XSS vulnerabilities.

I know for a long time about possibility of attacks via swf-files. So many 
years ago I turned off support of swf-files in attachments (and in avatars 
and photos). Also I wrote at beginning of 2008 about XSS vulnerability in 
IPB (http://websecurity.com.ua/1893/) via embedded flash files and released 
fix for it in my MustLive Security Pack (http://websecurity.com.ua/1896/).

In 2008 there was found Cross-Site Scripting vulnerability in IPB 
(http://securityvulns.ru/Tdocument862.html) via htm and html files in 
attachments. It was concerned Internet Explorer, in which a code was 
executing in context of the site (in Mozilla and Firefox a code was 
executing locally). But as I checked at 12.12.2009, in Opera a code also is 
executing in context of the site.

And recently there was found new XSS vulnerability in IPB 
(http://securityvulns.ru/Wdocument899.html), this time via txt-files. Which 
concerns Internet Explorer. In case of htm, html and txt-files (and also 
below-mentioned php, rtf and xml-files) the best method of protection 
against XSS is turning off of their support at forum (similarly to 
swf-files).

At 12.12.2009 I found new Cross-Site Scripting vulnerabilities in Invision 
Power Board. Attack is going via files php, rtf and xml (in attachments).

There are possible next attacks:

1. Attack via uploading php-files with JavaScript code. Works in IE and 
Opera in context of the site. In browsers Mozilla and Firefox file will open 
locally (not in context of the site) at selecting open in browser. 
Accordingly in case of attack via htm, html and php files at browsers 
Mozilla and Firefox, which open them locally (at selecting in dialog window 
by user), attack at local computer of the user it possible.

2. Attack via uploading rtf-files with JavaScript code. Works only in 
Internet Explorer.

3. Attack via uploading xml-files with JavaScript code. Works in Mozilla, 
Firefox, Opera and Chrome (but without access to cookies).

XSS:

For attacks via htm, html, php, rtf and txt-files, it's needed to create a 
file with next content (and upload it as attachment to forum):

<script>alert(document.cookie)</script>

I tested on Invision Power Board 1.3 and 2.2.2. All versions of IPB 1.x 
(particularly for txt), 2.x and 3.0.x must be vulnerable. Author of advisory 
about attack via txt-files noted, that there are filters against XSS during 
uploading of the files in IPB 3.0.4, but they can be bypassed.

I made checking in next browsers: Internet Explorer 6 (6.0.2900.2180), 
Mozilla 1.7.x, Mozilla Firefox 3.0.15, Opera 9.52 and Google Chrome 
1.0.154.48.

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/3764/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua