Invision Power Board SQL Injection Vuln [ All Versions ]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Invision Power Board SQL Injection Vuln [ All Versions ]
From: JeiAr <security@xxxxxxxxxxxx>
Date: 16 Dec 2003 04:30:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Vendor  : Invision Power Services
URL     : http://www.invisionpower.com
Version : All Versions Up To v2.0 Alpha 3
Risk    : SQL Injection Vulnerability


Description:
Invision Power Board (IPB) is a professional forum system that has been 
built from the ground up with speed and security in mind, taking advantage 
of object oriented code, highly-optimized SQL queries, and the fast PHP 
engine. A comprehensive administration control panel is included to help 
you keep your board running smoothly. Moderators will also enjoy the full 
range of options available to them via built-in tools and moderators control
panel. Members will appreciate the ability to subscribe to topics, send 
private messages, and perform a host of other options through the user 
control panel. It is used by millions of people over the world.


Problem:
Invision Power Board is vulnerable to an SQL Injection Vulnerability. All
versions up to 2.0 Alpha 3 seem to be affected. Below is an example URL
to test if you are vulnerable.


/index.php?showforum=1&prune_day=100&sort_by=Z-A&sort_key=[Problem_is_here]

If you are vulnerable (you should be) you will see an error message similar
to the one posted below. The only requirement is to know a valid forum number
and to have read access to that forum (must be able to view it).


Begin Error Message
------------------------------
mySQL query error: SELECT * from ibf_topics WHERE forum_id=2 and approved=1 
and (last_post > 0 OR pinned=1) ORDER BY pinned DESC, [Problem_is_here] DESC 
LIMIT 0,15

mySQL error: You have an error in your SQL syntax near '[Problem_is_here] 
DESC LIMIT 0,15' at line 1

mySQL error code: 
Date: Saturday 13th of December 2003 01:25:30 AM
-------------------------------


Solution:
Invision Power Services have released a fix for this. You can view the forum 
post

http://forums.invisionpower.com/index.php?showtopic=106774&st=0&#entry762426

Or go straight to the download page.

http://www.invisionboard.com/download/index.php?act=dl&s=1&id=12&p=1


Credits:
Credits go to JeiAr of the GulfTech Security Research Team. 
http://www.gulftech.org

Prev by Date: Issues In CGINews and CGIForum
Next by Date: [RHSA-2003:403-01] Updated lftp packages fix security vulnerability
Previous by thread: Issues In CGINews and CGIForum
Next by thread: [RHSA-2003:403-01] Updated lftp packages fix security vulnerability
Index(es):
- Date
- Thread