|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Monday, 11 April 2005 19:19 |
 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab "s Security Advisory (http://www.digitalparadox.org/services.ah)
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Severity: Medium
Title: Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability [PATCH INCLUDED]
Date: 09/04/2005
Vendor: Invision Invision Power Services
Vendor Website: http://www.invisionboard.com/
Summary: Invision board 1.3.1 and lower are vulnerable to a sql injection vulnerability which is caused by the non validation of input
in the $this->first variable
**********************************************************************************************************
Get Dcrab"s Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah
**********************************************************************************************************
Proof of Concept Exploit:
http://localhost/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION
**************
Patch info
**************
A patched version of the vulnerable file can be found at, http://www.digitalparadox.org/memberlist.txt
Just replace /uploads/sources/memberlist.php with this, and it will be fixed.
A simple patch can be,
In /uploads/sources/memberlist.php on Line 274 add this code
[CODE BEGINS]
if (!is_numeric($this->first)) {
$this->first = "0";
}
[CODE ENDS]
So it should finally look like,
[CODE BEGINS]
$this->output .= $this->html->Page_header( array( "SHOW_PAGES" => $links) );
//-----------------------------
// START THE LISTING
//-----------------------------
if (!is_numeric($this->first)) {
$this->first = "0";
}
$DB->query("SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name,
m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
[CODE ENDS]
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel
free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/.
Lookout for my soon to come out book on Secure coding with php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj
hAJ8nVzhK+VIlL4iPxDJRh02
=n3TC
-----END PGP SIGNATURE-----
|
