GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives















Invision Board IP Spoofing Vulnerability
June 16, 2022


Vendor : Invision Power Services
URL : http://www.invisionpower.com/
Version : All Versions
Risk : IP Spoofing Vulnerability
BID : http://www.securityfocus.com/bid/10559


Description:
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world.


IP Spoofing Vulnerability:
There lies a vulnerability in all version of Invision Power Board that allow a user to spoof his/her IP address by creating a bogus X_FORWARDED_FOR HTTP Header entry. This condition can also be caused by a user unknowingly if they use a proxy to access the internet. For example, private LAN based IP's will be logged which are impossible to trace. Below we see a snip of the vulnerable code taken from the file sources/functions.php @ line 1440
//----------------------------------------
// Sort out the accessing IP
// (Thanks to Cosmos and schickb)
//----------------------------------------
$addrs = array();
foreach( array_reverse( explode( ',', $HTTP_X_FORWARDED_FOR ) ) as $x_f )
{
   $x_f = trim($x_f);
   if ( preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $x_f ) )
   {
      $addrs[] = $x_f;
   }
}
$addrs[] = $_SERVER['REMOTE_ADDR'];
$addrs[] = $HTTP_PROXY_USER;
$addrs[] = $REMOTE_ADDR; 
So, basically if the X_FORWARDED_FOR header entry is present it ignores everything else? Seems to be the case. Not a good idea at all. This vulnerabilty makes the IP logging feature of IPB totally useless. Also, IP's are used in the sessions, as one of the ways to uniquely identiofy a user. For example, if you take your admin session ID (adsess) and then use it from a different IP than the one the session was created with you get an error message that the IP is not yours etc etc. So, as you can see this issue could probably cause alot more problems than meets the eye.


Solution:
Invision Power Services were contacted a while ago by me about this issue, yet they just told me to buy a liscence if I wanted support?!? Okay.
Thank you for contacting Invision Power Services, Justin has 
responded to your request. 
----------------------------------------
Hello and thank you for contacting Invision Power Services!
Unfortunately, we do not offer free technical support.  If you 
wish to receive technical support via e-mail/support tickets, 
customer forums, and telephone, please look into the two types 
of licenses we offer.  Our yearly Invision Power Board license 
costs $69.95 per year while a lifetime license costs a one-time 
fee of $199.00.
Purchasing a license not only entitles you to technical support, 
but you are also eligible for discounts on other Invision Power 
Services products (such as Invision Power Chat), as well as 
discounts on Invision Power Board plugins.  The Subscription 
Manager plugin is included free of charge for all licensed customers.
If you have any further questions, please do not hesitate to reply 
to this e-mail!
Regards,
Justin Hancock
Invision Power Services, Inc.
----------------------------------------
All I can say is that I feel sorry for people who paid for a IPB liscence. Until there is an official fix I just commented out the foreach loop shown in the previous code snippet. It's not a pretty solution but works for now.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.






© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers