Invision Power Board Input Validation Flaw in 'search.php' Permits SQL Injection
|
|
SecurityTracker Alert ID: 1009257
|
|
CVE Reference: CAN-2004-0338
(Links to External Site)
|
Updated: Mar 23 2004
|
Original Entry Date: Feb 28 2004
|
Impact: Disclosure of user information, Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): 1.3
|
Description: An input validation vulnerability was reported in Invision Power Board in 'sources/search.php'. A remote user can inject SQL commands.
Knight Commander reported that the 'search.php' script does not properly validate user-supplied input in the 'st' parameter. A remote
user can submit a specially crafted URL to execute arbitrary SQL commands on the underlying database.
A demonstration exploit
URL is provided:
http://[target]/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL
code]/*
The vendor has reportedly been notified.
|
Impact: A remote user can execute SQL commands on the underlying database.
|
Solution: No solution was available at the time of this entry. The vendor is reportedly working on a fix.
The author of the report has provided an unofficial fix, available in the Source Message.
|
Vendor URL: www.invisionboard.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Knight Commander <knight4vn@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 28 Feb 2004 13:53:19 -0000
From: Knight Commander <knight4vn@yahoo.com>
Subject: Invision Power Board SQL injection!
|
Invision Power Board SQL injection!
Program Name : Invision Board Forum
Vulnerable Versions : All versions
Home Page : http://www.invisionboard.com
Author : Knight Commander (at http://security.com.vn)
Email : knight4vn@yahoo.com
Vulnerability discovered : 12/2003
Public disclosure : 04/2004
--SQL Injection :
A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.
Vulnerable code :
--------------------------------------
if (isset($ibforums->input['st']) )
{
$this->first = $ibforums->input['st'];
}
----------------------------------------
-SQL query
-----------------------------------------
if ($this->search_in == 'titles')
{
$this->output .= $this->start_page($topic_max_hits, 1);
$DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as for
um_id, f.name as forum_name
FROM ibf_topics t
LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1)
LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
WHERE t.tid IN(0{$topics}-1)
ORDER BY p.post_date DESC
LIMIT ".$this->first.",25");
}
------------------------------------------
another:
if ($this->search_in == 'titles')
{
$this->output .= $this->start_page($topic_max_hits);
$DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
FROM ibf_topics t, ibf_forums f
WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order."
LIMIT ".$this->first.",25");
}
--------------------------------------------------------------
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&
search_in=topics&result_type=topics&hl=&st=20[SQL
code]/*
++SOLUTIONS:
In search.php:
* Replace:
--------------------------------------------
if (isset($ibforums->input['st']) )
{
$this->first = $ibforums->input['st'];
}
---------------------------------------------
By:
----------------------------------------------
if (isset($ibforums->input['st']) )
{
$this->first = intval($ibforums->input['st']);
}
-------------------------------------------------
The Invision Power Services was notified!
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +
|
|
