Invision Power Board SQL injection! Program Name : Invision Board Forum Vulnerable Versions : All versions Home Page : http://www.invisionboard.com Author : Knight Commander (at http://security.com.vn) Email : knight4vn@yahoo.com Vulnerability discovered : 12/2003 Public disclosure : 04/2004 --SQL Injection : A vulnerability has been discovered in the "sources/search.php" file that allows unauthorized users to inject SQL commands. Vulnerable code : -------------------------------------- if (isset($ibforums->input['st']) ) { $this->first = $ibforums->input['st']; } ---------------------------------------- -SQL query ----------------------------------------- if ($this->search_in == 'titles') { $this->output .= $this->start_page($topic_max_hits, 1); $DB->query("SELECT t.*, p.pid, p.author_id, p.author_name, p.post_date, p.post, f.id as forum_id, f.name as forum_name FROM ibf_topics t LEFT JOIN ibf_posts p ON (t.tid=p.topic_id AND p.new_topic=1) LEFT JOIN ibf_forums f ON (f.id=t.forum_id) WHERE t.tid IN(0{$topics}-1) ORDER BY p.post_date DESC LIMIT ".$this->first.",25"); } ------------------------------------------ another: if ($this->search_in == 'titles') { $this->output .= $this->start_page($topic_max_hits); $DB->query("SELECT t.*, f.id as forum_id, f.name as forum_name FROM ibf_topics t, ibf_forums f WHERE t.tid IN(0{$topics}-1) and f.id=t.forum_id ORDER BY t.pinned DESC, ".$this->sort_key." ".$this->sort_order." LIMIT ".$this->first.",25"); } -------------------------------------------------------------- ++Exploit: http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/* ++SOLUTIONS: In search.php: * Replace: -------------------------------------------- if (isset($ibforums->input['st']) ) { $this->first = $ibforums->input['st']; } --------------------------------------------- By: ---------------------------------------------- if (isset($ibforums->input['st']) ) { $this->first = intval($ibforums->input['st']); } ------------------------------------------------- The Invision Power Services was notified! The new version will released soon! ------------------------------------------------- Best Regard! + Knight Commander +