'Invision Power Board SQL injection!'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Invision Power Board SQL injection!
From:       Knight Commander <knight4vn () yahoo ! com>
Date:       2004-02-28 13:53:19
Message-ID: 20040228135319.13711.qmail () www ! securityfocus ! com
[Download RAW message or body]



		Invision Power Board SQL injection!

Program Name             : Invision Board Forum
Vulnerable Versions      : All versions 
Home Page                : http://www.invisionboard.com
Author                   : Knight Commander (at http://security.com.vn)
Email                    : knight4vn@yahoo.com
Vulnerability discovered : 12/2003
Public disclosure	 : 04/2004 


--SQL Injection :

A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.

Vulnerable code :
--------------------------------------
	
    	if (isset($ibforums->input['st']) )
    	{
    		$this->first = $ibforums->input['st'];
    	}
----------------------------------------

-SQL query

-----------------------------------------

if ($this->search_in == 'titles')
	{
	  $this->output .= $this->start_page($topic_max_hits, 1);
			            
		$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, \
f.id as forum_id, f.name as forum_name  FROM ibf_topics t
		            LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)
		            LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
		            WHERE t.tid IN(0{$topics}-1)
		            ORDER BY p.post_date DESC
		            LIMIT ".$this->first.",25");
	}
------------------------------------------
another:


if ($this->search_in == 'titles')
	{
		$this->output .= $this->start_page($topic_max_hits);
		$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
  			    FROM ibf_topics t, ibf_forums f
   			    WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
  			    ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."
  			    LIMIT ".$this->first.",25");
	}

--------------------------------------------------------------

 
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL \
code]/* 

++SOLUTIONS:
In search.php: 
* Replace: 
--------------------------------------------
	if (isset($ibforums->input['st']) )
    	{
    		$this->first = $ibforums->input['st'];
    	}
---------------------------------------------
By:
----------------------------------------------
	if (isset($ibforums->input['st']) )
    	{
    		$this->first = intval($ibforums->input['st']);
    	}
-------------------------------------------------
The Invision Power Services was notified! 
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic