Edit Report

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2012030130

Below is a copy:

Name :  Cross-site scripting vulnerability in Invision Power Board version 3.2.3
Software :  Invision Power Board version 3.2.3
Vendor Homepage :  http://www.invisionpower.com
Vulnerability Type :  Cross-site scripting
Researcher :  Vasil A. [email protected]

Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an
Internet forum software produced by Invision Power Services, Inc. It
is written in PHP and primarily uses MySQL as a database management
system, although support for other database engines is available.

IP Board is affected by a Cross-site scripting vulnerability in version 3.2.3.

Example PoC url is as follows :


Additional notes:
1.If a forum contain sub-forums this vulnerability don't exist.

2.Most of boards uses "Friendly Url style",but the attack can be
performed  by using "legacy URL style" in the query,e.g :




The vendor issued patch for this vulnerability. Please see the references.

Advisory Timeline
10/03/2012 - First contact: Sent the vulnerability details
12/03/2012 - Second contact: Ask for patch
14/03/2012 - Vulnerability Fixed
15/03/2012 - Vulnerability Released

It has been discovered on testing of Netsparker, Web Application
Security Scanner - http://www.mavitunasecurity.com/netsparker/.

Copyright ©2018 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.