Invision Power Board ipchat.php username SQL Injection

2003-07-11T00:00:00
ID OSVDB:3361
Type osvdb
Reporter OSVDB
Modified 2003-07-11T00:00:00

Description

Vulnerability Description

Invision Power Board contains a flaw that allows a remote attacker to inject arbitrary script that can be executed on a remote site. The issue is due to poor sanity checking of the "username" variable in the ipchat.php script.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Invision Power Services has released a patch to address this vulnerability.

Short Description

Invision Power Board contains a flaw that allows a remote attacker to inject arbitrary script that can be executed on a remote site. The issue is due to poor sanity checking of the "username" variable in the ipchat.php script.

References:

Vendor URL: http://www.invisionboard.com/ Vendor Specific Solution URL: http://www.invisionboard.com/downloads/chat.zip Secunia Advisory ID:9266 Other Advisory URL: http://www.websec.org/adv/invision.txt.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-07/0136.html ISS X-Force ID: 12587 Bugtraq ID: 8165