Invision Power Board SQL Injection Vuln [ All Versions ]

2003-12-17T00:00:00
ID SECURITYVULNS:DOC:5536
Type securityvulns
Reporter Securityvulns
Modified 2003-12-17T00:00:00

Description

Vendor : Invision Power Services URL : http://www.invisionpower.com Version : All Versions Up To v2.0 Alpha 3 Risk : SQL Injection Vulnerability

Description: Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world.

Problem: Invision Power Board is vulnerable to an SQL Injection Vulnerability. All versions up to 2.0 Alpha 3 seem to be affected. Below is an example URL to test if you are vulnerable.

/index.php?showforum=1&prune_day=100&sort_by=Z-A&sort_key=[Problem_is_here]

If you are vulnerable (you should be) you will see an error message similar to the one posted below. The only requirement is to know a valid forum number and to have read access to that forum (must be able to view it).

Begin Error Message

mySQL query error: SELECT * from ibf_topics WHERE forum_id=2 and approved=1 and (last_post > 0 OR pinned=1) ORDER BY pinned DESC, [Problem_is_here] DESC LIMIT 0,15

mySQL error: You have an error in your SQL syntax near '[Problem_is_here] DESC LIMIT 0,15' at line 1

mySQL error code: Date: Saturday 13th of December 2003 01:25:30 AM


Solution: Invision Power Services have released a fix for this. You can view the forum post

http://forums.invisionpower.com/index.php?showtopic=106774&st=0&#entry762426

Or go straight to the download page.

http://www.invisionboard.com/download/index.php?act=dl&s=1&id=12&p=1

Credits: Credits go to JeiAr of the GulfTech Security Research Team. http://www.gulftech.org