mailing list archives
RE: Invision Vulnerabilities, including remote code execution
From: "Mike Weller" <mike () we11er co uk>
Date: Wed, 26 Apr 2006 22:46:37 +0100
From: Steven M. Christey [mailto:coley () mitre org]
Sent: 26 April 2006 20:41
To: bugtraq () securityfocus com
Subject: Re: Invision Vulnerabilities, including remote code execution
sources/action_public/search.php line 1261 $this->output =
selected='selected'", $this->output );
an #e modifier is added and then %00 used which will be parsed as a
null byte and truncate the string thus removing the original
This is a very interesting bug: modifying a regular
expression in a way that accesses the execution functionality.
In general, regexp hacking seems to be a fruitful area for research.
As another example, null characters have been used to bypass
security-relevant regexp checks.
Indeed. Invision is (to be frank) an appalling example of handling user
input. Posts go through a plethora of regexes, and there are
canonicalization issues all over the place with html and url escaped codes
(&#...; and %xx) being decoded where they shouldn't be decoded. Posts go
through numerous conversions on their way in to the database (where they are
mixed with HTML) and also on their way out, opening up a whole range of
One example of this (that should work in current versions) is to insert the
following code into a new post:
Decoded this is:
Somewhere in the source of IPB, this is decoded and ends up in the resulting
Another problem is PHP's strings. All sorts of strange and wonderful things
happen when you start inserting line breaks, nulls, and backspaces (\x08).
I think an important area of development for modern web languages would be
to mark strings as being 'safe' (escaped) or not... and making it as hard as
possible for a programmer to use unsafe strings. I've even written a short
page describing an idea for a PHP class that should help developers avoid
issues with sanitation/escaping:
As "input validation" becomes more frequent, it seems likely
that these kinds of vulns will be introduced more often.
Other languages with rich regexp capabilities might be
subject to similar issues.