Hello rst,

i got this from your website couple days ago. it does NOT work on any
2.1.6 board i have here even vanilla default install.

can anyone please confirm this working on 2.1.6??

i removed their "phone home", and added a user-agent string, in their
exploit.

Friday, July 14, 2006, 5:38:11 AM, you wrote:

> RST/GHC advisory#41
> Product: Invision Power Board
> Version: 2.1 <= 2.1.6
> Vendor: INVISION Power Service
> URL: http://www.invisionpower.com
> VULNERABILITY CLASS: SQL injection

> [Product Description]
> Invision Power Board, an award-winning scaleable bulletin board
> system, written in PHP, uses SQL database.
> "Invision Power Board is packed with useful features that enable
> you to quickly and painlessly configure and manage every aspect of your board."

> [Summary]
> Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.

> [Details]
> Data from HTTP variable CLIENT_IP puts directly to sql statement:

> [code] /sources/ipsclass.php
> $addrs[] = $_SERVER['HTTP_CLIENT_IP'];
> $addrs[] = $_SERVER['REMOTE_ADDR'];
> $addrs[] = $_SERVER['HTTP_PROXY_USER'];
> foreach ( $addrs as $ip )
> {
> if ( $ip )
> {
> $this->ip_address = $ip;
> break;
> }
> }
> [/code]

> [code] /sources/classes/class_session.php
if ( $this->>ipsclass->vars['match_ipaddress'] == 1 )
> {
> $query .= " AND ip_address='".$this->ipsclass->ip_address."'";
> }

$this->>ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',
> 'from' => 'sessions',
> 'where'
> => "id='".$session_id."'".$query));
> [/code]

> [Exploit]
> http://rst.void.ru/download/r57ipb216gui.txt

> [Bugfix]
> Upgrade to 2.1.7 version

> [Credits]
> 1dt.w0lf
> RST/GHC
> http://rst.void.ru
> http://ghc.ru

--
Best regards,
paul mailto:dansing (at) swissinfo (dot) org [email concealed]

[ reply ]