Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: hack2284.htm

Invision Power Board SQL injection!



Invision Power Board SQL injection!



		Invision Power Board SQL injection!



Program Name             : Invision Board Forum

Vulnerable Versions      : All versions 

Home Page                : http://www.invisionboard.com 

Author                   : Knight Commander (at http://security.com.vn) 

Email                    : knight4vn@yahoo.com 

Vulnerability discovered : 12/2003

Public disclosure	 : 04/2004 





--SQL Injection :



A vulnerability has been discovered in the "sources/search.php" file

that allows unauthorized users to inject SQL commands.



Vulnerable code :

--------------------------------------

	

    	if (isset($ibforums->input['st']) )

    	{

    		$this->first = $ibforums->input['st'];

    	}

----------------------------------------



-SQL query



-----------------------------------------



if ($this->search_in == 'titles')

	{

	  $this->output .= $this->start_page($topic_max_hits, 1);

			            

		$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name

		            FROM ibf_topics t

		            LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)

		            LEFT JOIN ibf_forums f ON (f.id=t.forum_id)

		            WHERE t.tid IN(0{$topics}-1)

		            ORDER BY p.post_date DESC

		            LIMIT ".$this->first.",25");

	}

------------------------------------------

another:





if ($this->search_in == 'titles')

	{

		$this->output .= $this->start_page($topic_max_hits);

		$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name

  			    FROM ibf_topics t, ibf_forums f

   			    WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id

  			    ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."

  			    LIMIT ".$this->first.",25");

	}



--------------------------------------------------------------



 

++Exploit:

http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=sh ow&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/* 



++SOLUTIONS:

In search.php: 

* Replace: 

--------------------------------------------

	if (isset($ibforums->input['st']) )

    	{

    		$this->first = $ibforums->input['st'];

    	}

---------------------------------------------

By:

----------------------------------------------

	if (isset($ibforums->input['st']) )

    	{

    		$this->first = intval($ibforums->input['st']);

    	}

-------------------------------------------------

The Invision Power Services was notified! 

The new version will released soon!

-------------------------------------------------

Best Regard!

+ Knight Commander +


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH