<<< Date Index >>>     <<< Thread Index >>>

Invision Power Board SQL injection!


                Invision Power Board SQL injection!

Program Name             : Invision Board Forum
Vulnerable Versions      : All versions 
Home Page                : http://www.invisionboard.com
Author                   : Knight Commander (at http://security.com.vn)
Email                    : knight4vn@xxxxxxxxx
Vulnerability discovered : 12/2003
Public disclosure        : 04/2004 


--SQL Injection :

A vulnerability has been discovered in the "sources/search.php" file
that allows unauthorized users to inject SQL commands.

Vulnerable code :
--------------------------------------
        
        if (isset($ibforums->input['st']) )
        {
                $this->first = $ibforums->input['st'];
        }
----------------------------------------

-SQL query

-----------------------------------------

if ($this->search_in == 'titles')
        {
          $this->output .= $this->start_page($topic_max_hits, 1);
                                    
                $DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, 
p.post_date, p.post, f.id as forum_id, f.name as forum_name
                            FROM ibf_topics t
                            LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND 
p.new_topic=1)
                            LEFT JOIN ibf_forums f ON (f.id=t.forum_id)
                            WHERE t.tid IN(0{$topics}-1)
                            ORDER BY p.post_date DESC
                            LIMIT ".$this->first.",25");
        }
------------------------------------------
another:


if ($this->search_in == 'titles')
        {
                $this->output .= $this->start_page($topic_max_hits);
                $DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name
                            FROM ibf_topics t, ibf_forums f
                            WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id
                            ORDER BY t.pinned DESC, ".$this->sort_key." 
".$this->sort_order."
                            LIMIT ".$this->first.",25");
        }

--------------------------------------------------------------

 
++Exploit:
http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL
 code]/* 

++SOLUTIONS:
In search.php: 
* Replace: 
--------------------------------------------
        if (isset($ibforums->input['st']) )
        {
                $this->first = $ibforums->input['st'];
        }
---------------------------------------------
By:
----------------------------------------------
        if (isset($ibforums->input['st']) )
        {
                $this->first = intval($ibforums->input['st']);
        }
-------------------------------------------------
The Invision Power Services was notified! 
The new version will released soon!
-------------------------------------------------
Best Regard!
+ Knight Commander +