lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <676303568.20060716054639@swissinfo.org>
Date: Sun, 16 Jul 2006 05:46:39 -0700
From: paul dansing <dansing@...ssinfo.org>
To: bugtraq@...urityfocus.com
Subject: Re: Invision Power Board 2.1 <= 2.1.6 sql injection

Hello rst,

i got this from your website couple days ago. it does NOT work on any
2.1.6 board i have here even vanilla default install.

can anyone please confirm this working on 2.1.6??

i removed their "phone home", and added a user-agent string, in their
exploit.


Friday, July 14, 2006, 5:38:11 AM, you wrote:

> RST/GHC advisory#41
> Product: Invision Power Board 
> Version: 2.1 <= 2.1.6
> Vendor: INVISION Power Service
> URL: http://www.invisionpower.com
> VULNERABILITY CLASS: SQL injection


> [Product Description]
> Invision Power Board, an award-winning scaleable bulletin board
> system, written in PHP, uses SQL database. 
> "Invision Power Board is packed with useful features that enable
> you to quickly and painlessly configure and manage every aspect of your board."

> [Summary]
> Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.

> [Details]
> Data from HTTP variable CLIENT_IP puts directly to sql statement:

> [code] /sources/ipsclass.php
> $addrs[] = $_SERVER['HTTP_CLIENT_IP'];
> $addrs[] = $_SERVER['REMOTE_ADDR'];
> $addrs[] = $_SERVER['HTTP_PROXY_USER'];
> foreach ( $addrs as $ip )
>  {
>   if ( $ip )
>   {
>   $this->ip_address = $ip;
>   break;
>   }
>  }
> [/code]

> [code] /sources/classes/class_session.php
if ( $this->>ipsclass->vars['match_ipaddress'] == 1 )
>  {
>  $query .= " AND ip_address='".$this->ipsclass->ip_address."'";
>  }

$this->>ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',
>                                                            'from'   => 'sessions',
>                                                            'where' 
> => "id='".$session_id."'".$query));                         
> [/code]

> [Exploit]
> http://rst.void.ru/download/r57ipb216gui.txt

> [Bugfix]
> Upgrade to 2.1.7 version

> [Credits]
> 1dt.w0lf
> RST/GHC
> http://rst.void.ru
> http://ghc.ru



-- 
Best regards,
 paul                            mailto:dansing@...ssinfo.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ