Forum Index
Home Forum Radio Memberlist Help Search Quick Links

It appears you have not yet registered with our community which limits what you can do & see. It's Free To register, please click here.



Forum Index » Internet » Security Alerts and vulnerabilities » Invision Power Board v2.x
Register Calendar Gallery Mark Forums Read

Security Alerts and vulnerabilities Lets keep abreast on the latest threats by posting those findings here..

Reply
 
Thread Tools Display Modes
  #1  
Old 11-19-2004, 07:03 PM
Mobo's Avatar
Mobo Mobo is offline
Thinking outside the box
  
Join Date: Sep 2004
Location: Cape Breton
Posts: 4,584
Send a message via ICQ to Mobo Send a message via AIM to Mobo Send a message via MSN to Mobo Send a message via Yahoo to Mobo Send a message via Skype™ to Mobo
MaxPatrol Security Advisory 11.18.04
November 18, 2004

Release Date: November 18, 2004
Date Reported: November 12, 2004
Severity: High
Application: Invision Power Board v2.x
Affects versions: IPB 2.0.0, IPB 2.0.1 and IPB 2.0.2.
Platform: PHP

I. DESCRIPTION

An input validation vulnerability was reported in Invision Power Board v2.x. A remote user can conduct SQL injection attack.

Example:

http://site/forum/index.php?act=Post...f=2&t=1&qpid=1[sql_injection]

Result:

--------------------------------------------------------------------------
mySQL query error: select p.*,t.forum_id FROM ibf_posts p LEFT JOIN ibf_topics t ON (t.tid=p.topic_id) WHERE pid IN (1[sql_injection])
mySQL error: You have an error in your SQL syntax near '[sql_injection])' at line
2 mySQL error code:
Date: Friday 12th of November 2004 06:53:25 PM
--------------------------------------------------------------------------

This vulnerability found automatically by full-featured commercial version of MaxPatrol.

II. IMPACT

A remote user may be able to execute arbitrary SQL commands on the underlying database.

III. SOLUTION

To update your IPB 2.x board, simply download security update file, expand and upload "sources/post.php" over the one on your installation.

IV. VENDOR FIX/RESPONSE

Vulnerability is fixed.

Security update:

http://forums.invisionpower.com/inde...owtopic=154916
http://forums.invisionpower.com/index.php?...pe=post&id=4992

And of course this forum is protected.. [img]style_emoticons/<#EMO_DIR#>/wink.gif[/img]
Reply With Quote
Posted


Reply

  • Submit Thread to Digg Digg
  • Submit Thread to del.icio.us del.icio.us
  • Submit Thread to StumbleUpon StumbleUpon
  • Submit Thread to Google Google
    • Bookmarks

    « Previous Thread | Next Thread »
    Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
     
    Thread Tools
    Display Modes
    Linear Mode Linear Mode

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts
    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Forum Jump

    Similar Threads
    Thread Thread Starter Forum Replies Last Post
    Power Problem Melodi Hardware 5 04-28-2005 08:03 PM
    Invision Power Board v2.x Mobo Security Alerts and vulnerabilities 0 11-19-2004 07:03 PM



    All times are GMT -5. The time now is 06:23 AM.

    Contact Us - CyberAnswers - Archive - Privacy Statement - Top

    Firefox 2