Invision Vulnerabilities, including remote code execution

Several Invision Flaws (2.1.5 and possibly earlier)
IceShaman & Wells

1) Code execution

sources/action_public/search.php line 1261
$this->output = preg_replace( "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1 selected='selected'",
$this->output );

The input string is not properly sanitized which can lead to arbitrary code execution.
Example exploit:

- Post in a forum with "eval(die()); //" somewhere in the body of the post
- Use the search form to find text die just by your username (so only one result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return
- The code should have been executed

The lastdate string alters the regex to accept anything inside eval() and parse it as code, as
an #e modifier is added and then %00 used which will be parsed as a null byte and truncate
the string thus removing the original )#i part.

Due to selected='selected' also being executed as php code a space and // has to be used to turn
the text into a comment so it will be ignored by PHP.

As you can see this is just the beginning. You can upload an avatar with php code somewhere in it
and changed the above example to include() it thus running as much PHP code as you like. On default
PHP setups you can also include() remote files.

2) Remote file inclusion (requires admin)

sources/action_admin/paysubscriptions.php line 282
$gateway = trim( $this->ipsclass->input['name'] );

The input string is not properly sanitized and can be used to transverse directories in
this later include on line 307:
require_once( ROOT_PATH . 'sources/classes/paymentgateways/class_gw_'.$gateway.'.php' );

This code may look safe as the prefix to the file is hardcoded, unfortunately the backspace
character may be used to remove this prefix thus allowing ../../ combinations to execute code
from any file ending in .php.

Example: http://host/admin.php?adsess=...&section=content&act=msubs&code=install-gateway&name=

The above is a simple POC which installs the 'test' gateway. %08 will be
parsed as the backspace character, 9 of them are required to remove 'class_gw_'.

Where as this is not a serious threat, someone with access to the system (shared server,
with a /tmp directory?) who happened to gain/have access to the admin panel would
be able to use this to run arbitrary code on the server in the correct circumstances.

3) SQL Injection (limited use)

sources/lib/func_taskmanager.php line 70
$this->cron_key = substr( trim(stripslashes($_REQUEST['ck'])), 0, 32 );

The input from 'ck' is not sanitized which could lead to an SQL Injection (limited to 32 characters)
on line 113: 'where' => "task_cronkey='".$this->cron_key."'",


Although this is limited to 32 characters, it still may pose a risk in certain circumstances.

Flaws researched by IceShaman and Wells
Flaw #1 was first discovered by "securicore" security group and used to exploit my forums. This led
to me doing a quick audit of the code to find it (it goes without saying that I succeeded).

- IceShaman

Relevant Pages

  • Re: PHP Optimization question
    ... | Overall the page takes about .4-.5 seconds to render (just the code, ... | i'm recording the time at start and finish of execution) on a my dual ... Have you stopped to think that it might not be the php code that is ... The browser needs to: ...
  • Re: getting around time out errors (again)
    ... but i did know aout changing the .ini file to make the ... but it works for my update script, that takes about 12 minutes to execute ... // your php code ...
  • Re: Cant convert string to double!
    ... An unhandled exception of type 'System.FormatException' occurred in ... Input string was not in a correct format. ... at execution of simple line: ...
  • Re: Cant convert string to double!
    ... Input string was not in a correct format. ... at execution of simple line: ... Culture, I suspsect. ...
  • Using fopen with a URL...
    ... but is this a recommended way to evaluate such php code ... execution of the file via fopen, can I move the fopen call in the background ... like I can do on Unix using the &. ... I do the above with a series of different values for $a and $b in a loop, ...