SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Invision Gallery Vendors:   Invision Power Services
Invision Gallery Multiple Input Validation Errors Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1009512
SecurityTracker URL:  http://securitytracker.com/id/1009512
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.0.1
Description:   Several input validation vulnerabilities were reported in Invision Gallery. A remote user can inject SQL commands.

JeiAr of the GulfTech Security Research Team reported that several commands and parameters do not properly validate user-supplied input. A remote user can reportedly supply a specially crafted URL to inject SQL commands on the target system.

Some demonstration exploit URLs are provided:

index.php?act=module&module=gallery&cmd=si&img=[SQL]
index.php?act=module&module=gallery&cmd=editimg&img=[SQL]
index.php?act=module&module=gallery&cmd=ecard&img=[SQL]
index.php?act=module&module=gallery&cmd=moveimg&img=[SQL]
index.php?act=module&module=gallery&cmd=delimg&img=[SQL]
index.php?act=module&module=gallery&cmd=post&cat=[SQL]
index.php?act=module&module=gallery&cmd=sc&op=user&sort_key=[SQL]
index.php?act=module&module=gallery&cmd=sc&op=user&sort_key=date&order_key=[SQL]
index.php?act=module&module=gallery&cmd=favs&op=add&img=[SQL]
index.php?act=module&module=gallery&cmd=slideshow&cat=[SQL]
index.php?act=module&module=gallery&cmd=user&user=[SQL]&op=view_album&album=1
index.php?act=module&module=gallery&cmd=user&user=[SQL]
index.php?act=module&module=gallery&cmd=user&user=1&op=view_album&album=[SQL]

The vendor has reportedly been notified.

Impact:   A remote user can inject SQL commands to be executed by the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.invisiongallery.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.gulftech.org/03222004.php


http://www.gulftech.org/03222004.php

Invision Gallery SQL Injection Vulnerabilities  March 22, 2004


Vendor : Invision Power Services
URL : http://www.invisiongallery.com
Version : Invision Gallery 1.0.1
Risk : SQL Injection Vulnerabilities


Description:
Invision Gallery is a fully featured, powerful gallery system that is easy and fun to use! 
It plugs right into your existing Invision Power Board to create a seamless browsing 
experience for the users of your forum. We've taken many of the most popular feature 
requests from our customers and integrated them into this product.


SQL Injection Vulnerabilities:
Invision Gallery seems to come up very short concerning validation of user supplied input. 
It is vulnerable to a number of SQL Injection vulnerabilities. Also, because Invision 
Gallery is integrated into Invision power Board it is VERY much possible for an attacker 
to use the vulnerabilities in Invision Gallery to affect the Invision Power Board which it 
resides on. Most of the non validated input that allow for the injections take place right 
in the middle of a WHERE statement making them that much easier to exploit. Lets look at 
an example error.

-----[ Start Error ]---------------------------------------------
mySQL query error: SELECT * FROM ibf_gallery_categories WHERE
id=[Evil_Query]

mySQL error: You have an error in your SQL syntax.  Check the manual
that corresponds to your MySQL server version for the right syntax to
use near '[Evil_Query]' at line 1

mySQL error code:
Date: Sunday 21st of March 2004 11:28:18 AM

-----[ /Ends Error ]---------------------------------------------

As we can see from this it would be of little difficulty for any attacker to execute 
arbitrary requests. For example pulling the admin hash and/or possibly taking admin 
control over an affected Invision Gallery or Invision Power Board installation. Here are 
some example urls that could be exploited by an attacker.

index.php?act=module&module=gallery&cmd=si&img=[SQL]
index.php?act=module&module=gallery&cmd=editimg&img=[SQL]
index.php?act=module&module=gallery&cmd=ecard&img=[SQL]
index.php?act=module&module=gallery&cmd=moveimg&img=[SQL]
index.php?act=module&module=gallery&cmd=delimg&img=[SQL]
index.php?act=module&module=gallery&cmd=post&cat=[SQL]
index.php?act=module&module=gallery&cmd=sc&op=user&sort_key=[SQL]
index.php?act=module&module=gallery&cmd=sc&op=user&sort_key=date&order_key=[SQL]
index.php?act=module&module=gallery&cmd=favs&op=add&img=[SQL]
index.php?act=module&module=gallery&cmd=slideshow&cat=[SQL]
index.php?act=module&module=gallery&cmd=user&user=[SQL]&op=view_album&album=1
index.php?act=module&module=gallery&cmd=user&user=[SQL]
index.php?act=module&module=gallery&cmd=user&user=1&op=view_album&album=[SQL]

Some of these are easier to exploit than others obviously, but the large number of SQL 
Injection possibilities definitely makes it that much easier for an attacker to get 
results from these issues.


Solution:
The Invision Power Services team were contacted immediately and hopefully a fix will be 
available soon since this is an application that cost users money to use.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC