Hello rst, i got this from your website couple days ago. it does NOT work on any 2.1.6 board i have here even vanilla default install. can anyone please confirm this working on 2.1.6?? i removed their "phone home", and added a user-agent string, in their exploit. Friday, July 14, 2006, 5:38:11 AM, you wrote: > RST/GHC advisory#41 > Product: Invision Power Board > Version: 2.1 <= 2.1.6 > Vendor: INVISION Power Service > URL: http://www.invisionpower.com > VULNERABILITY CLASS: SQL injection > [Product Description] > Invision Power Board, an award-winning scaleable bulletin board > system, written in PHP, uses SQL database. > "Invision Power Board is packed with useful features that enable > you to quickly and painlessly configure and manage every aspect of your board." > [Summary] > Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack. > [Details] > Data from HTTP variable CLIENT_IP puts directly to sql statement: > [code] /sources/ipsclass.php > $addrs[] = $_SERVER['HTTP_CLIENT_IP']; > $addrs[] = $_SERVER['REMOTE_ADDR']; > $addrs[] = $_SERVER['HTTP_PROXY_USER']; > foreach ( $addrs as $ip ) > { > if ( $ip ) > { > $this->ip_address = $ip; > break; > } > } > [/code] > [code] /sources/classes/class_session.php if ( $this->>ipsclass->vars['match_ipaddress'] == 1 ) > { > $query .= " AND ip_address='".$this->ipsclass->ip_address."'"; > } $this->>ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location', > 'from' => 'sessions', > 'where' > => "id='".$session_id."'".$query)); > [/code] > [Exploit] > http://rst.void.ru/download/r57ipb216gui.txt > [Bugfix] > Upgrade to 2.1.7 version > [Credits] > 1dt.w0lf > RST/GHC > http://rst.void.ru > http://ghc.ru -- Best regards, paul mailto:dansing@xxxxxxxxxxxxx
