Invision Power Board SQL injection

2007.03.06
Credit: 1dt.w0lf
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

RST/GHC advisory#41 Product: Invision Power Board Version: 2.1 <= 2.1.6 Vendor: INVISION Power Service URL: http://www.invisionpower.com VULNERABILITY CLASS: SQL injection [Product Description] Invision Power Board, an award-winning scaleable bulletin board system, written in PHP, uses SQL database. "Invision Power Board is packed with useful features that enable you to quickly and painlessly configure and manage every aspect of your board." [Summary] Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack. [Details] Data from HTTP variable CLIENT_IP puts directly to sql statement: [code] /sources/ipsclass.php $addrs[] = $_SERVER['HTTP_CLIENT_IP']; $addrs[] = $_SERVER['REMOTE_ADDR']; $addrs[] = $_SERVER['HTTP_PROXY_USER']; foreach ( $addrs as $ip ) { if ( $ip ) { $this->ip_address = $ip; break; } } [/code] [code] /sources/classes/class_session.php if ( $this->ipsclass->vars['match_ipaddress'] == 1 ) { $query .= " AND ip_address='".$this->ipsclass->ip_address."'"; } $this->ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location', 'from' => 'sessions', 'where' => "id='".$session_id."'".$query)); [/code] [Exploit] http://rst.void.ru/download/r57ipb216gui.txt [Bugfix] Upgrade to 2.1.7 version [Credits] 1dt.w0lf RST/GHC http://rst.void.ru http://ghc.ru


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top