Lucene search
This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.INVISION_POWER_BOARD_ST_SQL_INJECTION.NASLHistoryApr 11, 2005 - 12:00 a.m.
Invision Power Board index.php Members Action st Parameter SQL Injection
2005-04-1100:00:00
This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.
www.tenable.com
18
A version of Invision Power Board installed on the remote host suffers from a SQL injection vulnerability due to its failure to sanitize user input via the ‘st’ parameter to the ‘index.php’ script. An attacker can take advantage of this flaw to inject arbitrary SQL statements into Invision Power Board, possibly even modifying the database.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(18011);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2005-1070");
script_bugtraq_id(13097);
script_name(english:"Invision Power Board index.php Members Action st Parameter SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a SQL
injection vulnerability.");
script_set_attribute(attribute:"description", value:
"A version of Invision Power Board installed on the remote host suffers
from a SQL injection vulnerability due to its failure to sanitize user
input via the 'st' parameter to the 'index.php' script. An attacker
can take advantage of this flaw to inject arbitrary SQL statements
into Invision Power Board, possibly even modifying the database.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/395515");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:invisionpower:invision_power_board");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");
script_dependencies("invision_power_board_detect.nasl");
script_require_keys("www/invision_power_board");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Test an install.
install = get_kb_item(string("www/", port, "/invision_power_board"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
dir = matches[2];
# Try to exploit it.
w = http_send_recv3(method:"GET",
item:string(
dir, "/index.php?",
"act=Members&",
"max_results=30&",
"filter=1&",
"sort_order=asc&",
"sort_key=name&",
# nb: the 'st' parameter is used in a SELECT statement as the offset in
# a LIMIT clause so appending a '--' will cause a syntax error
# since it tells MySQL to ignore the rest of the statement.
"st=1--"
),
port:port
);
if (isnull(w)) exit(1, "The web server did not answer");
res = w[2];
if ("<title>Invision Power Board Database Error" >< res)
{
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
}
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| invisionpower | invision_power_board | cpe:/a:invisionpower:invision_power_board |
Related for INVISION_POWER_BOARD_ST_SQL_INJECTION.NASL