IP Board Vulnerabilities

Good Morning all,

It’s been a busy past month for me, but I did happen to find a new vulnerability that exists in IP.Board.  IP.Board is basically a web application that allows you to run a forum, with the option to purchase additional functionality, like blogs, a store, etc.

While I was looking into how IP.Board works, and running some tests and scans against it, I’ve discovered a couple of vulnerabilities in the application.  At the moment, it seems to largely be information disclosure and XSRF vulnerabilities, but I am in the process of seeing if it is capable of further development  into something a little more dangerous.

I’ve already reported some of the  vulnerabilities to the developers of IP.Board, and they said that a fix has been created for their next update.  I’ll be sure to let you know once it is released if it fixes the issue.  The other outstanding vulnerabilities I want to look into as much as I can to see if it can result in a dangerous attack.  As I find out more information, and understand how it works, I will then be able to provide a better report to the developers of IP.Board (Invision Services) about the vulnerability.

I am also currently working to get a CVE number reserved for the issue for proper tracking of the vulnerability.

A Potential Vulnerability I Discovered…

Before you begin reading the writeup, I had contacted the company who’s server contains the vulnerability and disclosed all the information I had about what I did.  Their response was that they didn’t consider it a risk, and weren’t going to be modifying the server security.  So I am taking that as a “closed” issue on their end, and I’ll at least write it up.

While trying to determine how secure the server is that I have a website running on, I found an interesting hole.  I consider user accounts to be basically half a password when attempting to access a box.  If I have a username, then I know half of what I need to know to get in.  So I tried testing to see if I could figure out the other user accounts that are on this shared hosting server a website of mine was put on.

I do have SSH and FTP access to the server, as I am a legitimate customer.  So I SSHed into the machine, and tried running the “top” command.  It returned some server stats and all user accounts that had an active running process.  However, the user accounts were not displayed.  Only the UID of the account.  Also, I was unable to view the home directories of other users as my account was jailed.  This would be good.

Then I had an idea.  I uploaded a php page that ran the same command and would return the results to the web page.  When I browsed to it, I had an unfiltered view of all user accounts on the server that had running processes.  It became clear that the “nobody” account was not jailed, and as a result, I was able to make a page that used the nobody account to run the command.  It returned all the same information, except this time it had the actual user accounts instead of just the UID.

It was an interesting find, and since the company is not considering this an issue, I figured it wouldn’t hurt to share with the world.  Enjoy, and see if you can do the same thing on your servers.