[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040228135319.13711.qmail@www.securityfocus.com>
Date: 28 Feb 2004 13:53:19 -0000
From: Knight Commander <knight4vn@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Invision Power Board SQL injection!
Invision Power Board SQL injection!
Program Name : Invision Board Forum
Vulnerable Versions : All versions
Home Page : http://www.invisionboard.com
Author : Knight Commander (at http://security.com.vn)
Email : knight4vn@...oo.com
Vulnerability discovered : 12/2003
Public disclosure : 04/2004
--SQL Injection :
A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.
Vulnerable code :
--------------------------------------
if (isset($ibforums->input['st']) )
{
$this->first = $ibforums->input['st'];
}
----------------------------------------
-SQL query
-----------------------------------------
if ($this->search_in == 'titles')
{
$this->output .= $this->start_page($topic_max_hits, 1);
$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name
FROM ibf_topics t
LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)
LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
WHERE t.tid IN(0{$topics}-1)
ORDER BY p.post_date DESC
LIMIT ".$this->first.",25");
}
------------------------------------------
another:
if ($this->search_in == 'titles')
{
$this->output .= $this->start_page($topic_max_hits);
$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
FROM ibf_topics t, ibf_forums f
WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."
LIMIT ".$this->first.",25");
}
--------------------------------------------------------------
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/*
++SOLUTIONS:
In search.php:
* Replace:
--------------------------------------------
if (isset($ibforums->input['st']) )
{
$this->first = $ibforums->input['st'];
}
---------------------------------------------
By:
----------------------------------------------
if (isset($ibforums->input['st']) )
{
$this->first = intval($ibforums->input['st']);
}
-------------------------------------------------
The Invision Power Services was notified!
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +
Powered by blists - more mailing lists