Invision Power Board SQL injection!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


		Invision Power Board SQL injection!

Program Name             : Invision Board Forum
Vulnerable Versions      : All versions 
Home Page                : http://www.invisionboard.com
Author                   : Knight Commander (at http://security.com.vn)
Email                    : knight4vn@yahoo.com
Vulnerability discovered : 12/2003
Public disclosure	 : 04/2004 


--SQL Injection :

A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.

Vulnerable code :
--------------------------------------
	
    	if (isset($ibforums->input['st']) )
    	{
    		$this->first = $ibforums->input['st'];
    	}
----------------------------------------

-SQL query

-----------------------------------------

if ($this->search_in == 'titles')
	{
	  $this->output .= $this->start_page($topic_max_hits, 1);
			            
		$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name
		            FROM ibf_topics t
		            LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)
		            LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
		            WHERE t.tid IN(0{$topics}-1)
		            ORDER BY p.post_date DESC
		            LIMIT ".$this->first.",25");
	}
------------------------------------------
another:


if ($this->search_in == 'titles')
	{
		$this->output .= $this->start_page($topic_max_hits);
		$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
  			    FROM ibf_topics t, ibf_forums f
   			    WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
  			    ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."
  			    LIMIT ".$this->first.",25");
	}

--------------------------------------------------------------

 
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/* 

++SOLUTIONS:
In search.php: 
* Replace: 
--------------------------------------------
	if (isset($ibforums->input['st']) )
    	{
    		$this->first = $ibforums->input['st'];
    	}
---------------------------------------------
By:
----------------------------------------------
	if (isset($ibforums->input['st']) )
    	{
    		$this->first = intval($ibforums->input['st']);
    	}
-------------------------------------------------
The Invision Power Services was notified! 
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux