invisionPB.txt

2004-02-28T00:00:00
ID PACKETSTORM:32786
Type packetstorm
Reporter Knight Commander
Modified 2004-02-28T00:00:00

Description

                                        
                                            `  
  
Invision Power Board SQL injection!  
  
Program Name : Invision Board Forum  
Vulnerable Versions : All versions   
Home Page : http://www.invisionboard.com  
Author : Knight Commander (at http://security.com.vn)  
Email : knight4vn@yahoo.com  
Vulnerability discovered : 12/2003  
Public disclosure : 04/2004   
  
  
--SQL Injection :  
  
A vulnerability has been discovered in the "sources/search.php" file  
that allows unauthorized users to inject SQL commands.  
  
Vulnerable code :  
--------------------------------------  
  
if (isset($ibforums->input['st']) )  
{  
$this->first = $ibforums->input['st'];  
}  
----------------------------------------  
  
-SQL query  
  
-----------------------------------------  
  
if ($this->search_in == 'titles')  
{  
$this->output .= $this->start_page($topic_max_hits, 1);  
  
$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name  
FROM ibf_topics t  
LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)  
LEFT JOIN ibf_forums f ON (f.id=t.forum_id)  
WHERE t.tid IN(0{$topics}-1)  
ORDER BY p.post_date DESC  
LIMIT ".$this->first.",25");  
}  
------------------------------------------  
another:  
  
  
if ($this->search_in == 'titles')  
{  
$this->output .= $this->start_page($topic_max_hits);  
$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name  
FROM ibf_topics t, ibf_forums f  
WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id  
ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."  
LIMIT ".$this->first.",25");  
}  
  
--------------------------------------------------------------  
  
  
++Exploit:  
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/*   
  
++SOLUTIONS:  
In search.php:   
* Replace:   
--------------------------------------------  
if (isset($ibforums->input['st']) )  
{  
$this->first = $ibforums->input['st'];  
}  
---------------------------------------------  
By:  
----------------------------------------------  
if (isset($ibforums->input['st']) )  
{  
$this->first = intval($ibforums->input['st']);  
}  
-------------------------------------------------  
The Invision Power Services was notified!   
The new version will released soon!  
-------------------------------------------------  
Best Regard!  
+ Knight Commander +  
`