invisionPB.txt

invisionPB.txt: Posted Feb 28, 2004; Authored by Knight Commander | Site security.com.vn; Invision Power Board is susceptible to a SQL injection vulnerability in its search.php script.; tags | exploit, php, sql injection; SHA-256 | d8c4c4a478f2f5a37f2f0b0241c4cc23ec20627875f2ca4105794ca7d97cd20a; Download | Favorite | View

invisionPB.txt



    Invision Power Board SQL injection!

Program Name             : Invision Board Forum
Vulnerable Versions      : All versions 
Home Page                : http://www.invisionboard.com
Author                   : Knight Commander (at http://security.com.vn)
Email                    : knight4vn@yahoo.com
Vulnerability discovered : 12/2003
Public disclosure   : 04/2004 


--SQL Injection :

A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.

Vulnerable code :
--------------------------------------
  
      if (isset($ibforums->input['st']) )
      {
        $this->first = $ibforums->input['st'];
      }
----------------------------------------

-SQL query

-----------------------------------------

if ($this->search_in == 'titles')
  {
    $this->output .= $this->start_page($topic_max_hits, 1);
                  
    $DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name
                FROM ibf_topics t
                LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)
                LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
                WHERE t.tid IN(0{$topics}-1)
                ORDER BY p.post_date DESC
                LIMIT ".$this->first.",25");
  }
------------------------------------------
another:


if ($this->search_in == 'titles')
  {
    $this->output .= $this->start_page($topic_max_hits);
    $DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
            FROM ibf_topics t, ibf_forums f
             WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
            ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."
            LIMIT ".$this->first.",25");
  }

--------------------------------------------------------------

 
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/* 

++SOLUTIONS:
In search.php: 
* Replace: 
--------------------------------------------
  if (isset($ibforums->input['st']) )
      {
        $this->first = $ibforums->input['st'];
      }
---------------------------------------------
By:
----------------------------------------------
  if (isset($ibforums->input['st']) )
      {
        $this->first = intval($ibforums->input['st']);
      }
-------------------------------------------------
The Invision Power Services was notified! 
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +

Top Authors In Last 30 Days

Red Hat 223 files
indoushka 170 files
Jay Turla 150 files
Ubuntu 79 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,177)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,794)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,845)
UNIX (9,454)
UnixWare (188)
Windows (6,771)
Other

invisionPB.txt

invisionPB.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

invisionPB.txt

Share This

invisionPB.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems