Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final.

[Hillel Himovich <hll () netvision net il>]

In-Reply-To: <000d01c44d68$51a14ec0$05a0968c@p42800mhz>

> Compromise:  SQL Injection, Cross site Scripting.
> Vulnerable Systems: Invision Power Board v1.3.1 Final.
> Details:
> An Input Validation Error exists in ssi.php.
>
> $sql_fields is vulnerable to An Input Validation Error.
> How to exploit this bug?
> http://TARGET/ssi.php?a=out&type=xml&f=0)[SQL-INJECTION]

I guss, you are reffering this line in the SQL Statment...
WHERE t.forum_id IN ($sql_fields)
I downloaded IPB 1.3.1 F and digiid for a fwe seconds, if you look a bit up in the code u'll see:

$f = intval($f);
        if ( $f )
                {
                        $forums[] = $f;
                }
...........
...........
$sql_fields = implode( ",", $forums );

intval, means that u can't enter string in the f field...