Invision Power Board Cookie Encoded Arrays SQL Injection & other issues
Invision Power Board
Versions <= 2.1.3, and 2.1.4 before security patch.
Invision Power Services
Patch released (here) to address SQL injection, other issues considered acceptable security risk.
2006.01.05 - Vendor Notified
2006.01.05 - Patch Released
2006.09.26 - Public Disclosure
Three vulnerabilities were identified in Invision Power Board. The first revolves around the fact that cookie values which are used to reconstruct array structures are not properly sanitized, and allow the injection of SQL through the index values of the array.(e.g. the "topicsread" array can be structured as: "1) UNION SELECT 1,session_id,session_ip_address,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ibf_admin_sessions where (1,1)=(1"=>2 where "=>" is the "maps to" directive.).
The second vulnerability allows the spoofing of any i.p. address by the user controlable "Client-Ip" HTTP header.
The third vulnerability is a trivial directory traversal vulnerability within the task section of the admin panel which allows arbitrary code execution once board administration privileges have been achieved.