Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability [PATCH INCLUDED]

2005-04-12T00:00:00
ID SECURITYVULNS:DOC:8291
Type securityvulns
Reporter Securityvulns
Modified 2005-04-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah) [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/

Severity: Medium Title: Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability [PATCH INCLUDED] Date: 09/04/2005

Vendor: Invision Invision Power Services Vendor Website: http://www.invisionboard.com/ Summary: Invision board 1.3.1 and lower are vulnerable to a sql injection vulnerability which is caused by the non validation of input in the $this->first variable


Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah


Proof of Concept Exploit:

http://localhost/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION


Patch info


A patched version of the vulnerable file can be found at, http://www.digitalparadox.org/memberlist.txt Just replace /uploads/sources/memberlist.php with this, and it will be fixed.

A simple patch can be,

In /uploads/sources/memberlist.php on Line 274 add this code [CODE BEGINS]

                      if (!is_numeric($this->first)) {
                      $this->first = "0";
                      }

                                  [CODE ENDS]

So it should finally look like, [CODE BEGINS]

            $this->output .= $this->html->Page_header( array( 'SHOW_PAGES' => $links) );

            //-----------------------------
            // START THE LISTING
            //-----------------------------
                      if (!is_numeric($this->first)) {
                      $this->first = "0";
                      }

            $DB->query("SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title,

m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions

                                  [CODE ENDS]

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.

-----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj hAJ8nVzhK+VIlL4iPxDJRh02 =n3TC -----END PGP SIGNATURE-----