{"edition": 1, "title": "Invision Power Board memberlist.php st Variable SQL Injection", "bulletinFamily": "software", "published": "2005-04-09T02:24:48", "lastseen": "2017-04-28T13:20:11", "history": [], "modified": "2005-04-09T02:24:48", "reporter": "OSVDB", "hash": "eb492e5d6c1fec8fbf07bbcfc595df2bcc82f2f43f7680bd972834a9489a0318", "viewCount": 0, "href": "https://vulners.com/osvdb/OSVDB:15496", "description": "## Manual Testing Notes\nhttp://[victim]/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION\n## References:\nVendor URL: http://www.invisionboard.com/\nSecurity Tracker: 1013676\nOther Advisory URL: http://www.digitalparadox.org/advisories/inv.txt\nISS X-Force ID: 20059\n[CVE-2005-1070](https://vulners.com/cve/CVE-2005-1070)\nBugtraq ID: 13097\n", "affectedSoftware": [], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "e6d75b44621935cfc8b0f7e9bdb5d2f2"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "9c83c26bed06e2a9816f063e4d7a6200"}, {"key": "href", "hash": "69330f1c439a461dc04cd3eaa6467703"}, {"key": "modified", "hash": "b5cf117ba3a0e1e952898d890aeb1695"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "b5cf117ba3a0e1e952898d890aeb1695"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "3b8eb41870891708a431b7be83fdb315"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1070"]}, {"type": "nessus", "idList": ["INVISION_POWER_BOARD_ST_SQL_INJECTION.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:25380"]}], "modified": "2017-04-28T13:20:11"}, "vulnersScore": 7.5}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "cvelist": ["CVE-2005-1070"], "id": "OSVDB:15496"}

{"cve": [{"lastseen": "2017-07-11T11:14:51", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in index.php in Invision Power Board 1.3.1 Final and earlier allows remote attackers to execute arbitrary SQL commands via the st parameter.", "modified": "2017-07-10T21:32:31", "published": "2005-04-11T00:00:00", "id": "CVE-2005-1070", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1070", "title": "CVE-2005-1070", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T01:14:37", "bulletinFamily": "exploit", "description": "Invision Power Board 1.x ST Parameter SQL Injection Vulnerability. CVE-2005-1070. Webapps exploit for php platform", "modified": "2005-04-11T00:00:00", "published": "2005-04-11T00:00:00", "id": "EDB-ID:25380", "href": "https://www.exploit-db.com/exploits/25380/", "type": "exploitdb", "title": "Invision Power Board 1.x ST Parameter SQL Injection Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/13097/info\r\n\r\nInvision Power Board is reported prone to an SQL injection vulnerability. Due to improper filtering of user-supplied data, attackers may pass SQL statements to the underlying database through the 'st' parameter.\r\n\r\nInvision Power Board 1.3.1 and prior versions are affected by this issue. \r\n\r\nhttp://www.example.com/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25380/"}], "nessus": [{"lastseen": "2019-02-21T01:08:31", "bulletinFamily": "scanner", "description": "A version of Invision Power Board installed on the remote host suffers from a SQL injection vulnerability due to its failure to sanitize user input via the 'st' parameter to the 'index.php' script. An attacker can take advantage of this flaw to inject arbitrary SQL statements into Invision Power Board, possibly even modifying the database.", "modified": "2018-11-15T00:00:00", "id": "INVISION_POWER_BOARD_ST_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18011", "published": "2005-04-11T00:00:00", "title": "Invision Power Board index.php Members Action st Parameter SQL Injection", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(18011);\n script_version(\"1.17\");\n\n script_cve_id(\"CVE-2005-1070\");\n script_bugtraq_id(13097);\n\n script_name(english:\"Invision Power Board index.php Members Action st Parameter SQL Injection\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by a SQL\ninjection vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A version of Invision Power Board installed on the remote host suffers\nfrom a SQL injection vulnerability due to its failure to sanitize user\ninput via the 'st' parameter to the 'index.php' script. An attacker\ncan take advantage of this flaw to inject arbitrary SQL statements\ninto Invision Power Board, possibly even modifying the database.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/395515\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:W/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/04/11\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/04/09\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:invisionpower:invision_power_board\");\nscript_end_attributes();\n \n script_summary(english:\"Checks for st parameter SQL injection vulnerability in Invision Power Board\");\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"invision_power_board_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/invision_power_board\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/invision_power_board\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit it.\n w = http_send_recv3(method:\"GET\",\n item:string(\n dir, \"/index.php?\",\n \"act=Members&\", \n \"max_results=30&\",\n \"filter=1&\",\n \"sort_order=asc&\",\n \"sort_key=name&\",\n # nb: the 'st' parameter is used in a SELECT statement as the offset in\n # a LIMIT clause so appending a '--' will cause a syntax error\n # since it tells MySQL to ignore the rest of the statement.\n \"st=1--\"\n ),\n port:port\n );\n if (isnull(w)) exit(1, \"The web server did not answer\");\n res = w[2];\n\n if (\"<title>Invision Power Board Database Error\" >< res) \n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}