BugTraq
Invision Power Board SQL injection! Feb 28 2004 01:53PM
Knight Commander (knight4vn yahoo com)


Invision Power Board SQL injection!

Program Name : Invision Board Forum

Vulnerable Versions : All versions

Home Page : http://www.invisionboard.com

Author : Knight Commander (at http://security.com.vn)

Email : knight4vn (at) yahoo (dot) com [email concealed]

Vulnerability discovered : 12/2003

Public disclosure : 04/2004

--SQL Injection :

A vulnerability has been discovered in the "sources/search.php" file

that allows unauthorized users to inject SQL commands.

Vulnerable code :

--------------------------------------

if (isset($ibforums->input['st']) )

{

$this->first = $ibforums->input['st'];

}

----------------------------------------

-SQL query

-----------------------------------------

if ($this->search_in == 'titles')

{

$this->output .= $this->start_page($topic_max_hits, 1);

$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name

FROM ibf_topics t

LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)

LEFT JOIN ibf_forums f ON (f.id=t.forum_id)

WHERE t.tid IN(0{$topics}-1)

ORDER BY p.post_date DESC

LIMIT ".$this->first.",25");

}

------------------------------------------

another:

if ($this->search_in == 'titles')

{

$this->output .= $this->start_page($topic_max_hits);

$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name

FROM ibf_topics t, ibf_forums f

WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id

ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."

LIMIT ".$this->first.",25");

}

--------------------------------------------------------------

++Exploit:

http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchi
d={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/*

++SOLUTIONS:

In search.php:

* Replace:

--------------------------------------------

if (isset($ibforums->input['st']) )

{

$this->first = $ibforums->input['st'];

}

---------------------------------------------

By:

----------------------------------------------

if (isset($ibforums->input['st']) )

{

$this->first = intval($ibforums->input['st']);

}

-------------------------------------------------

The Invision Power Services was notified!

The new version will released soon!

-------------------------------------------------

Best Regard!

+ Knight Commander +

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus