SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Invision Power Top Site List Vendors:   Invision Power Services
Invision Power Top Site List Input Validation Hole in 'comment' Feature Permits SQL Injection
SecurityTracker Alert ID:  1009511
SecurityTracker URL:  http://securitytracker.com/id/1009511
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.1 RC2 and prior versions
Description:   An input validation vulnerability was reported in Invision Power Top Site List. A remote user can inject SQL commands.

JeiAr of the GulfTech Security Research Team reported that the software does not properly validate user-supplied input in the 'id' parameter of 'comment' feature. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database. A demonstration exploit URL is of the following format:

index.php?act=comments&id=[Evil_Query]

The vendor has reportedly been notified.

Impact:   A remote user can inject SQL commands to be executed on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.invisiontsl.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.gulftech.org/03212004.php


http://www.gulftech.org/03212004.php

Invision Power Top Site List SQL Injection Vulnerability  March 21, 2004


Vendor : Invision Power Services
URL : http://www.invisiontsl.com
Version : Invision Power Top Site List v1.1 RC 2 && Earlier
Risk : SQL Injection Vulnerability


Description:
Invision Power Top Site List is a flexible site ranking script written in PHP, the popular 
programming choice for web developers. Featuring an impressive feature set with a 
user-friendly interface your community will feel at home using the system.


SQL Injection Vulnerability:
Invision Power Top Site List is prone to an SQL Injection vuln in its "comment" feature. 
This issue is very much exploitable as the injection happens right in the middle of a 
WHERE statement. Lets have a look at an example error message to get a better idea of what 
is going on.

-----[ Start Error ]---------------------------------------------
Error: Error executing query

The software returned the following error:

You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax
to use near '[ Evil_Query ]' at line 1

Query Executed: SELECT * FROM tsl_sites WHERE id = [Evil_Query]

-----[ /Ends Error ]---------------------------------------------

As we can see from this it would be of little difficulty for any attacker to execute 
arbitrary requests. For example pulling the admin hash and/or possibly taking admin 
control over an affected Invision Power Top Site List. Below is an example url to show how 
the issue could be exploited.

index.php?act=comments&id=[Evil_Query]


Solution:
The Invision Power Services team were contacted immediately and hopefully a fix will be 
available soon since this is an application that cost users money to use.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC