This issue appears to be a rediscovery of a Bugtraq post by Alexander Anisimov on November 18, 2004: [MaxPatrol] SQL-injection in Invision Power Board 2.x http://www.securityfocus.com/archive/1/381503 1) Both inject the SQL into the "qpid" parameter 2) Both deal with the "post" action ("act=Post") in index.php 3) The vendor fixed the issue as identified in the following forum post: http://forums.invisionpower.com/index.php?showtopic=154916 - Steve
