<<< Date Index >>>     <<< Thread Index >>>

Re: Invision Power Board 2.1 <= 2.1.6 sql injection



Hello rst,

i got this from your website couple days ago. it does NOT work on any
2.1.6 board i have here even vanilla default install.

can anyone please confirm this working on 2.1.6??

i removed their "phone home", and added a user-agent string, in their
exploit.


Friday, July 14, 2006, 5:38:11 AM, you wrote:

> RST/GHC advisory#41
> Product: Invision Power Board 
> Version: 2.1 <= 2.1.6
> Vendor: INVISION Power Service
> URL: http://www.invisionpower.com
> VULNERABILITY CLASS: SQL injection


> [Product Description]
> Invision Power Board, an award-winning scaleable bulletin board
> system, written in PHP, uses SQL database. 
> "Invision Power Board is packed with useful features that enable
> you to quickly and painlessly configure and manage every aspect of your 
> board."

> [Summary]
> Unsufficient sanitazing of the user depend data in HTTP header may lead to 
> SQL injection attack.

> [Details]
> Data from HTTP variable CLIENT_IP puts directly to sql statement:

> [code] /sources/ipsclass.php
> $addrs[] = $_SERVER['HTTP_CLIENT_IP'];
> $addrs[] = $_SERVER['REMOTE_ADDR'];
> $addrs[] = $_SERVER['HTTP_PROXY_USER'];
> foreach ( $addrs as $ip )
>  {
>   if ( $ip )
>   {
>   $this->ip_address = $ip;
>   break;
>   }
>  }
> [/code]

> [code] /sources/classes/class_session.php
if ( $this->>ipsclass->vars['match_ipaddress'] == 1 )
>  {
>  $query .= " AND ip_address='".$this->ipsclass->ip_address."'";
>  }

$this->>ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, 
running_time, location',
>                                                            'from'   => 
> 'sessions',
>                                                            'where' 
> => "id='".$session_id."'".$query));                         
> [/code]

> [Exploit]
> http://rst.void.ru/download/r57ipb216gui.txt

> [Bugfix]
> Upgrade to 2.1.7 version

> [Credits]
> 1dt.w0lf
> RST/GHC
> http://rst.void.ru
> http://ghc.ru



-- 
Best regards,
 paul                            mailto:dansing@xxxxxxxxxxxxx