Bugtraq mailing list archives
Re: Invision Power Board 2.1 <= 2.1.6 sql injection
From: paul dansing <dansing () swissinfo org>
Date: Sun, 16 Jul 2006 05:46:39 -0700
Hello rst, i got this from your website couple days ago. it does NOT work on any 2.1.6 board i have here even vanilla default install. can anyone please confirm this working on 2.1.6?? i removed their "phone home", and added a user-agent string, in their exploit. Friday, July 14, 2006, 5:38:11 AM, you wrote:
RST/GHC advisory#41 Product: Invision Power Board Version: 2.1 <= 2.1.6 Vendor: INVISION Power Service URL: http://www.invisionpower.com VULNERABILITY CLASS: SQL injection
[Product Description] Invision Power Board, an award-winning scaleable bulletin board system, written in PHP, uses SQL database. "Invision Power Board is packed with useful features that enable you to quickly and painlessly configure and manage every aspect of your board."
[Summary] Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.
[Details] Data from HTTP variable CLIENT_IP puts directly to sql statement:
[code] /sources/ipsclass.php
$addrs[] = $_SERVER['HTTP_CLIENT_IP'];
$addrs[] = $_SERVER['REMOTE_ADDR'];
$addrs[] = $_SERVER['HTTP_PROXY_USER'];
foreach ( $addrs as $ip )
{
if ( $ip )
{
$this->ip_address = $ip;
break;
}
}
[/code]
[code] /sources/classes/class_session.php
if ( $this->>ipsclass->vars['match_ipaddress'] == 1 )
{
$query .= " AND ip_address='".$this->ipsclass->ip_address."'";
}
$this->>ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',
'from' => 'sessions',
'where'
=> "id='".$session_id."'".$query));
[/code]
[Exploit] http://rst.void.ru/download/r57ipb216gui.txt
[Bugfix] Upgrade to 2.1.7 version
[Credits] 1dt.w0lf RST/GHC http://rst.void.ru http://ghc.ru
-- Best regards, paul mailto:dansing () swissinfo org
Current thread:
- Invision Power Board 2.1 <= 2.1.6 sql injection rst (Jul 15)
- Re: Invision Power Board 2.1 <= 2.1.6 sql injection paul dansing (Jul 18)
- Re: Invision Power Board 2.1 <= 2.1.6 sql injection str0ke (Jul 18)
- <Possible follow-ups>
- Re: Invision Power Board 2.1 <= 2.1.6 sql injection mattmecham (Jul 18)
- Re: Re: Invision Power Board 2.1 <= 2.1.6 sql injection paul14075 (Jul 18)
- Re: Invision Power Board 2.1 <= 2.1.6 sql injection paul dansing (Jul 18)