TUCoPS :: Web BBS :: Frequently Exploited :: b06-3644.htm

Invision Power Board 2.1 <= 2.1.6 sql injection
Invision Power Board 2.1 <= 2.1.6 sql injection
Invision Power Board 2.1 <= 2.1.6 sql injection


RST/GHC advisory#41=0D
Product: Invision Power Board =0D
Version: 2.1 <= 2.1.6=0D
Vendor: INVISION Power Service=0D
URL: http://www.invisionpower.com=0D 
VULNERABILITY CLASS: SQL injection=0D
=0D
=0D
[Product Description]=0D
Invision Power Board, an award-winning scaleable bulletin board system, written in PHP, uses SQL database. =0D
"Invision Power Board is packed with useful features that enable you to quickly and painlessly configure and manage every aspect of your board." =0D
=0D
[Summary]=0D
Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.=0D
=0D
[Details]=0D
Data from HTTP variable CLIENT_IP puts directly to sql statement:=0D
=0D
[code] /sources/ipsclass.php=0D
$addrs[] = $_SERVER['HTTP_CLIENT_IP'];=0D
$addrs[] = $_SERVER['REMOTE_ADDR'];=0D
$addrs[] = $_SERVER['HTTP_PROXY_USER'];=0D
foreach ( $addrs as $ip )=0D
 {=0D
  if ( $ip )=0D
  {=0D
  $this->ip_address = $ip;=0D
  break;=0D
  }=0D
 }=0D
[/code]=0D
=0D
[code] /sources/classes/class_session.php=0D
if ( $this->ipsclass->vars['match_ipaddress'] == 1 )=0D
 {=0D
 $query .= " AND ip_address='".$this->ipsclass->ip_address."'";=0D
 }=0D
=0D
$this->ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',=0D
							   'from'   => 'sessions',=0D
							   'where'  => "id='".$session_id."'".$query));				=0D
[/code]=0D
=0D
[Exploit]=0D
http://rst.void.ru/download/r57ipb216gui.txt=0D 
=0D
[Bugfix]=0D
Upgrade to 2.1.7 version=0D
=0D
[Credits]=0D
1dt.w0lf=0D
RST/GHC=0D
http://rst.void.ru=0D 
http://ghc.ru

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH