<<< Date Index >>>     <<< Thread Index >>>

Invision Power Board 2.1 <= 2.1.6 sql injection

RST/GHC advisory#41
Product: Invision Power Board 
Version: 2.1 <= 2.1.6
Vendor: INVISION Power Service
URL: http://www.invisionpower.com
VULNERABILITY CLASS: SQL injection


[Product Description]
Invision Power Board, an award-winning scaleable bulletin board system, written 
in PHP, uses SQL database. 
"Invision Power Board is packed with useful features that enable you to quickly 
and painlessly configure and manage every aspect of your board." 

[Summary]
Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL 
injection attack.

[Details]
Data from HTTP variable CLIENT_IP puts directly to sql statement:

[code] /sources/ipsclass.php
$addrs[] = $_SERVER['HTTP_CLIENT_IP'];
$addrs[] = $_SERVER['REMOTE_ADDR'];
$addrs[] = $_SERVER['HTTP_PROXY_USER'];
foreach ( $addrs as $ip )
 {
  if ( $ip )
  {
  $this->ip_address = $ip;
  break;
  }
 }
[/code]

[code] /sources/classes/class_session.php
if ( $this->ipsclass->vars['match_ipaddress'] == 1 )
 {
 $query .= " AND ip_address='".$this->ipsclass->ip_address."'";
 }

$this->ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, 
running_time, location',
                                                           'from'   => 
'sessions',
                                                           'where'  => 
"id='".$session_id."'".$query));                         
[/code]

[Exploit]
http://rst.void.ru/download/r57ipb216gui.txt

[Bugfix]
Upgrade to 2.1.7 version

[Credits]
1dt.w0lf
RST/GHC
http://rst.void.ru
http://ghc.ru