Invision Power Board sources/post.php qpid Parameter SQL Injection

🗓️ 22 Nov 2004 00:00:00Reported by TenableType

Invision Power Board allows SQL injection via qpid parameter, risking database control.

Reporter	Title	Published	Views	Family All 5
Tenable Nessus	Invision PowerBoard < 2.0.3 SQL Injection	22 Nov 200400:00	–	nessus
CVE	CVE-2004-1531	19 Feb 200505:00	–	cve
Cvelist	CVE-2004-1531	19 Feb 200505:00	–	cvelist
EUVD	EUVD-2004-1525	7 Oct 202500:30	–	euvd
NVD	CVE-2004-1531	31 Dec 200405:00	–	nvd

Source	Link
seclists	www.seclists.org/bugtraq/2004/Nov/239
forums	www.forums.invisionpower.com/index.php
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(15778);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");

  script_cve_id("CVE-2004-1531");
  script_bugtraq_id(11703);

  script_name(english:"Invision Power Board sources/post.php qpid Parameter SQL Injection");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is vulnerable to
a SQL injection attack.");
  script_set_attribute(attribute:"description", value:
"The version of Invision Power Board on the remote host suffers from a
flaw in 'sources/post.php' that allows injection of SQL commands into
the remote SQL database.  An attacker may use this flaw to gain
control of the remote database and possibly to overwrite files on the
remote host.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Nov/239");
  script_set_attribute(attribute:"see_also", value:"http://forums.invisionpower.com/index.php?showtopic=154916");
  script_set_attribute(attribute:"solution", value:
"Replace the 'sources/post.php' file with the one referenced in the
vendor advisory above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.");

  script_dependencies("invision_power_board_detect.nasl");
  script_require_keys("www/invision_power_board");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);



# Test an install.
install = get_kb_item(string("www/", port, "/invision_power_board"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
 path = matches[2];

 w = http_send_recv3(method:"GET", item:string(path, "/index.php?act=Post&CODE=02&f=3&t=10&qpid=1'"), port:port);
 if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
 res = w[2];

 if ("mySQL query error: select p.*,t.forum_id FROM ibf_posts p LEFT JOIN ibf_topics t ON (t.tid=p.topic_id)" >< res)
 {
  security_hole(port);
   set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
 }
}

01 Jun 2022 00:00Current

6Medium risk

Vulners AI Score6

CVSS 27.5

EPSS0.01085