Re: Invision Power Board 2.1 <= 2.1.6 sql injection
Hello rst,
i got this from your website couple days ago. it does NOT work on any
2.1.6 board i have here even vanilla default install.
can anyone please confirm this working on 2.1.6??
i removed their "phone home", and added a user-agent string, in their
exploit.
Friday, July 14, 2006, 5:38:11 AM, you wrote:
> RST/GHC advisory#41
> Product: Invision Power Board
> Version: 2.1 <= 2.1.6
> Vendor: INVISION Power Service
> URL: http://www.invisionpower.com
> VULNERABILITY CLASS: SQL injection
> [Product Description]
> Invision Power Board, an award-winning scaleable bulletin board
> system, written in PHP, uses SQL database.
> "Invision Power Board is packed with useful features that enable
> you to quickly and painlessly configure and manage every aspect of your
> board."
> [Summary]
> Unsufficient sanitazing of the user depend data in HTTP header may lead to
> SQL injection attack.
> [Details]
> Data from HTTP variable CLIENT_IP puts directly to sql statement:
> [code] /sources/ipsclass.php
> $addrs[] = $_SERVER['HTTP_CLIENT_IP'];
> $addrs[] = $_SERVER['REMOTE_ADDR'];
> $addrs[] = $_SERVER['HTTP_PROXY_USER'];
> foreach ( $addrs as $ip )
> {
> if ( $ip )
> {
> $this->ip_address = $ip;
> break;
> }
> }
> [/code]
> [code] /sources/classes/class_session.php
if ( $this->>ipsclass->vars['match_ipaddress'] == 1 )
> {
> $query .= " AND ip_address='".$this->ipsclass->ip_address."'";
> }
$this->>ipsclass->DB->simple_construct(array( 'select' => 'id, member_id,
running_time, location',
> 'from' =>
> 'sessions',
> 'where'
> => "id='".$session_id."'".$query));
> [/code]
> [Exploit]
> http://rst.void.ru/download/r57ipb216gui.txt
> [Bugfix]
> Upgrade to 2.1.7 version
> [Credits]
> 1dt.w0lf
> RST/GHC
> http://rst.void.ru
> http://ghc.ru
--
Best regards,
paul mailto:dansing@xxxxxxxxxxxxx