lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040228135319.13711.qmail@www.securityfocus.com>
Date: 28 Feb 2004 13:53:19 -0000
From: Knight Commander <knight4vn@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Invision Power Board SQL injection!




		Invision Power Board SQL injection!

Program Name             : Invision Board Forum
Vulnerable Versions      : All versions 
Home Page                : http://www.invisionboard.com
Author                   : Knight Commander (at http://security.com.vn)
Email                    : knight4vn@...oo.com
Vulnerability discovered : 12/2003
Public disclosure	 : 04/2004 


--SQL Injection :

A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.

Vulnerable code :
--------------------------------------
	
    	if (isset($ibforums->input['st']) )
    	{
    		$this->first = $ibforums->input['st'];
    	}
----------------------------------------

-SQL query

-----------------------------------------

if ($this->search_in == 'titles')
	{
	  $this->output .= $this->start_page($topic_max_hits, 1);
			            
		$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name
		            FROM ibf_topics t
		            LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)
		            LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
		            WHERE t.tid IN(0{$topics}-1)
		            ORDER BY p.post_date DESC
		            LIMIT ".$this->first.",25");
	}
------------------------------------------
another:


if ($this->search_in == 'titles')
	{
		$this->output .= $this->start_page($topic_max_hits);
		$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
  			    FROM ibf_topics t, ibf_forums f
   			    WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
  			    ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."
  			    LIMIT ".$this->first.",25");
	}

--------------------------------------------------------------

 
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/* 

++SOLUTIONS:
In search.php: 
* Replace: 
--------------------------------------------
	if (isset($ibforums->input['st']) )
    	{
    		$this->first = $ibforums->input['st'];
    	}
---------------------------------------------
By:
----------------------------------------------
	if (isset($ibforums->input['st']) )
    	{
    		$this->first = intval($ibforums->input['st']);
    	}
-------------------------------------------------
The Invision Power Services was notified! 
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ