BugTraq
Back to list
|
Post reply
Invision Power Board 2.1 <= 2.1.6 sql injection
Jul 14 2006 12:38PM
rst ghc ru
(1 replies)
RST/GHC advisory#41
Product: Invision Power Board
Version: 2.1 <= 2.1.6
Vendor: INVISION Power Service
URL: http://www.invisionpower.com
VULNERABILITY CLASS: SQL injection
[Product Description]
Invision Power Board, an award-winning scaleable bulletin board system, written in PHP, uses SQL database.
"Invision Power Board is packed with useful features that enable you to quickly and painlessly configure and manage every aspect of your board."
[Summary]
Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.
[Details]
Data from HTTP variable CLIENT_IP puts directly to sql statement:
[code] /sources/ipsclass.php
$addrs[] = $_SERVER['HTTP_CLIENT_IP'];
$addrs[] = $_SERVER['REMOTE_ADDR'];
$addrs[] = $_SERVER['HTTP_PROXY_USER'];
foreach ( $addrs as $ip )
{
if ( $ip )
{
$this->ip_address = $ip;
break;
}
}
[/code]
[code] /sources/classes/class_session.php
if ( $this->ipsclass->vars['match_ipaddress'] == 1 )
{
$query .= " AND ip_address='".$this->ipsclass->ip_address."'";
}
$this->ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',
'from' => 'sessions',
'where' => "id='".$session_id."'".$query));
[/code]
[Exploit]
http://rst.void.ru/download/r57ipb216gui.txt
[Bugfix]
Upgrade to 2.1.7 version
[Credits]
1dt.w0lf
RST/GHC
http://rst.void.ru
http://ghc.ru
[ reply ]
Re: Invision Power Board 2.1 <= 2.1.6 sql injection
Jul 16 2006 12:46PM
paul dansing (dansing swissinfo org)
(1 replies)
Re: Invision Power Board 2.1 <= 2.1.6 sql injection
Jul 18 2006 06:03PM
str0ke (str0ke milw0rm com)
Privacy Statement
Copyright 2010, SecurityFocus
Product: Invision Power Board
Version: 2.1 <= 2.1.6
Vendor: INVISION Power Service
URL: http://www.invisionpower.com
VULNERABILITY CLASS: SQL injection
[Product Description]
Invision Power Board, an award-winning scaleable bulletin board system, written in PHP, uses SQL database.
"Invision Power Board is packed with useful features that enable you to quickly and painlessly configure and manage every aspect of your board."
[Summary]
Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.
[Details]
Data from HTTP variable CLIENT_IP puts directly to sql statement:
[code] /sources/ipsclass.php
$addrs[] = $_SERVER['HTTP_CLIENT_IP'];
$addrs[] = $_SERVER['REMOTE_ADDR'];
$addrs[] = $_SERVER['HTTP_PROXY_USER'];
foreach ( $addrs as $ip )
{
if ( $ip )
{
$this->ip_address = $ip;
break;
}
}
[/code]
[code] /sources/classes/class_session.php
if ( $this->ipsclass->vars['match_ipaddress'] == 1 )
{
$query .= " AND ip_address='".$this->ipsclass->ip_address."'";
}
$this->ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',
'from' => 'sessions',
'where' => "id='".$session_id."'".$query));
[/code]
[Exploit]
http://rst.void.ru/download/r57ipb216gui.txt
[Bugfix]
Upgrade to 2.1.7 version
[Credits]
1dt.w0lf
RST/GHC
http://rst.void.ru
http://ghc.ru
[ reply ]