invision131sql.txt

2005-04-18T00:00:00
ID PACKETSTORM:37146
Type packetstorm
Reporter Diabolic Crab
Modified 2005-04-18T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
  
------=_NextPart_000_0005_01C53EE6.43632B60  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
=20  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Severity: Medium  
Title: Invision board 1.3.1 and below are vulnerable to a sql injection =  
vulnerability [PATCH INCLUDED]  
Date: 09/04/2005  
  
Vendor: Invision Invision Power Services  
Vendor Website: http://www.invisionboard.com/  
Summary: Invision board 1.3.1 and lower are vulnerable to a sql =  
injection vulnerability which is caused by the non validation of input=20  
in the $this->first variable  
  
  
*************************************************************************=  
*********************************  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
*************************************************************************=  
*********************************  
  
Proof of Concept Exploit:=20  
  
http://localhost/forums/index.php?act=3DMembers&max_results=3D30&filter=3D=  
1&sort_order=3Dasc&sort_key=3Dname&st=3DSQL_INJECTION  
  
**************  
Patch info  
**************  
A patched version of the vulnerable file can be found at, =  
http://www.digitalparadox.org/memberlist.txt=20  
Just replace /uploads/sources/memberlist.php with this, and it will be =  
fixed.  
  
A simple patch can be,  
  
In /uploads/sources/memberlist.php on Line 274 add this code=20  
[CODE BEGINS]  
  
if (!is_numeric($this->first)) {  
$this->first =3D "0";  
}  
  
[CODE ENDS]  
  
So it should finally look like,  
[CODE BEGINS]  
  
$this->output .=3D $this->html->Page_header( array( =  
'SHOW_PAGES' =3D> $links) );  
  
//-----------------------------  
// START THE LISTING  
//-----------------------------  
if (!is_numeric($this->first)) {  
$this->first =3D "0";  
}  
  
$DB->query("SELECT m.name, m.id, m.posts, m.joined, =  
m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name,=20  
m.icq_number,  
me.photo_location, me.photo_type, =  
me.photo_dimensions  
  
[CODE ENDS]  
  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20  
free to contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/.=20  
Lookout for my soon to come out book on Secure coding with php.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com  
  
iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj  
hAJ8nVzhK+VIlL4iPxDJRh02  
=3Dn3TC  
-----END PGP SIGNATURE-----  
  
Diabolic Crab  
Web Security, Research & Development  
dP Security  
email: dcrab@digitalparadox.org  
website:www.digitalparadox.org=20  
  
This message is confidential. It may also contain information that is=20  
privileged or otherwise legally exempt from disclosure.=20  
If you have received it by mistake please let us know by e-mail=20  
immediately and delete it from your system; should also not copy=20  
the message nor disclose its contents to anyone. Many thanks.  
  
  
------=_NextPart_000_0005_01C53EE6.43632B60  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2><!--StartFragment --><FONT =  
face=3D"Times New Roman"=20  
size=3D3> </FONT><PRE>-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Severity: Medium  
Title: Invision board 1.3.1 and below are vulnerable to a sql injection =  
vulnerability [PATCH INCLUDED]  
Date: 09/04/2005  
  
Vendor: Invision Invision Power Services  
Vendor Website: http://www.invisionboard.com/  
Summary: Invision board 1.3.1 and lower are vulnerable to a sql =  
injection vulnerability which is caused by the non validation of input=20  
in the $this->first variable  
  
  
*************************************************************************=  
*********************************  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
*************************************************************************=  
*********************************  
  
Proof of Concept Exploit:=20  
  
http://localhost/forums/index.php?act=3DMembers&max_results=3D30&=  
filter=3D1&sort_order=3Dasc&sort_key=3Dname&st=3DSQL_INJECTIO=  
N  
  
**************  
Patch info  
**************  
A patched version of the vulnerable file can be found at, =  
http://www.digitalparadox.org/memberlist.txt=20  
Just replace /uploads/sources/memberlist.php with this, and it will be =  
fixed.  
  
A simple patch can be,  
  
In /uploads/sources/memberlist.php on Line 274 add this code=20  
[CODE BEGINS]  
  
if (!is_numeric($this->first)) {  
$this->first =3D "0";  
}  
  
[CODE ENDS]  
  
So it should finally look like,  
[CODE BEGINS]  
  
$this->output .=3D $this->html->Page_header( =  
array( 'SHOW_PAGES' =3D> $links) );  
  
//-----------------------------  
// START THE LISTING  
//-----------------------------  
if (!is_numeric($this->first)) {  
$this->first =3D "0";  
}  
  
$DB->query("SELECT m.name, m.id, m.posts, m.joined, =  
m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name,=20  
m.icq_number,  
me.photo_location, me.photo_type, =  
me.photo_dimensions  
  
[CODE ENDS]  
  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20  
free to contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/.=20  
Lookout for my soon to come out book on Secure coding with php.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com  
  
iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj  
hAJ8nVzhK+VIlL4iPxDJRh02  
=3Dn3TC  
-----END PGP SIGNATURE-----  
  
</PRE></FONT></DIV>  
<DIV><FONT face=3DArial size=3D2>Diabolic Crab<BR>Web Security,  =  
Research &=20  
Development<BR>dP Security<BR>email: <A=20  
href=3D"mailto:dcrab@digitalparadox.org">dcrab@digitalparadox.org</A><BR>=  
website:www.digitalparadox.org=20  
</FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>This message is confidential. It may =  
also contain=20  
information that is <BR>privileged or otherwise legally exempt from =  
disclosure.=20  
<BR>If you have received it by mistake please let us know by e-mail=20  
<BR>immediately and delete it from your system; should also not copy =  
<BR>the=20  
message nor disclose its contents to anyone. Many thanks.</FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>  
  
------=_NextPart_000_0005_01C53EE6.43632B60--  
`