Invision Power Board Lack of Validation of HTTP Client IP Value Lets Remote Users Inject SQL Commands - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > Invision Power Board

Vendors: Invision Power Services

Invision Power Board Lack of Validation of HTTP Client IP Value Lets Remote Users Inject SQL Commands

SecurityTracker Alert ID: 1016508

SecurityTracker URL: http://securitytracker.com/id/1016508

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 17 2006

Impact: Disclosure of system information, Disclosure of user information, User access via network

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Version(s): 2.1 - 2.1.6

Description: A vulnerability was reported in Invision Power Board. A remote user can inject SQL commands.

The software does not properly validate user-supplied input in the HTTP Client IP value. A remote user can supply a specially crafted value to execute SQL commands on the underlying database.

A demonstration exploit is available at:

http://rst.void.ru/download/r57ipb216gui.txt

1dt.w0lf of RST/GHC reported this vulnerability.

Impact: A remote user can execute SQL commands on the underlying database.

Solution: No solution was available at the time of this entry.

Vendor URL: www.invisionboard.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: 14 Jul 2006 12:38:11 -0000
Subject: Invision Power Board 2.1 <= 2.1.6 sql injection

RST/GHC advisory#41
Product: Invision Power Board 
Version: 2.1 <= 2.1.6
Vendor: INVISION Power Service
URL: http://www.invisionpower.com
VULNERABILITY CLASS: SQL injection


[Product Description]
Invision Power Board, an award-winning scaleable bulletin board system, written in PHP, uses SQL database. 
"Invision Power Board is packed with useful features that enable you to quickly and painlessly configure and manage every aspect of
 your board." 

[Summary]
Unsufficient sanitazing of the user depend data in HTTP header may lead to SQL injection attack.

[Details]
Data from HTTP variable CLIENT_IP puts directly to sql statement:

[code] /sources/ipsclass.php
$addrs[] = $_SERVER['HTTP_CLIENT_IP'];
$addrs[] = $_SERVER['REMOTE_ADDR'];
$addrs[] = $_SERVER['HTTP_PROXY_USER'];
foreach ( $addrs as $ip )
 {
  if ( $ip )
  {
  $this->ip_address = $ip;
  break;
  }
 }
[/code]

[code] /sources/classes/class_session.php
if ( $this->ipsclass->vars['match_ipaddress'] == 1 )
 {
 $query .= " AND ip_address='".$this->ipsclass->ip_address."'";
 }

$this->ipsclass->DB->simple_construct(array( 'select' => 'id, member_id, running_time, location',
							   'from'   => 'sessions',
							   'where'  => "id='".$session_id."'".$query));				
[/code]

[Exploit]
http://rst.void.ru/download/r57ipb216gui.txt

[Bugfix]
Upgrade to 2.1.7 version

[Credits]
1dt.w0lf
RST/GHC
http://rst.void.ru
http://ghc.ru

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC