Invision Iframe Bug

["Woody" <woody () woodys-software com>]

Hi,

I've found a bug in Invision Board, it let's you send private messages
around, change people their signature, avatar, etc.

If the administrator doesn't filter all the html tags on a forum (or just
forgets, which is often the case) you can add an invisible iframe to your
post. Now if you just figure out how invision board sends for example a
private message, you can let people send one to someone.

Example:


<iframe id="frame1" name="frame1" frameborder=0 width=0 height=0
src="http://www.website.com/forums/index.php?act=Msg&CODE=04&MODE=1&entered_name=Woody&msg_title=hi&Post=I%20love%20you!";>
</iframe>

Every person who would view the post would send Woody a private message
(message: I love you, subject: hi). They wouldn't know it happened because
the iframe is invisible.

You just have to figure out how IB works. This bug CAN NOT change
passwords, email addresses or let an administrator do stuff. It's pretty
harmless really. I guess all versions are "affected" because it just
depends on the administrator of the forum.

Woody
woodys-software.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/