© 2008 eshu.co.uk - all rights reserved Disclaimer
Home Advisories About
ESHU0601 - Details
Invision Power Board Cookie Encoded Arrays SQL Injection & other issues

Affected Product
Invision Power Board

Affected Version
Versions <= 2.1.3, and 2.1.4 before security patch.

Affected Vendor
Invision Power Services

Vendor Response
Patch released (here) to address SQL injection, other issues considered acceptable security risk.

Disclosure Timeline
2006.01.05 - Vendor Notified
2006.01.05 - Patch Released
2006.09.26 - Public Disclosure

Vulnerability Details
Three vulnerabilities were identified in Invision Power Board. The first revolves around the fact that cookie values which are used to reconstruct array structures are not properly sanitized, and allow the injection of SQL through the index values of the array.(e.g. the "topicsread" array can be structured as: "1) UNION SELECT 1,session_id,session_ip_address,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ibf_admin_sessions where (1,1)=(1"=>2 where "=>" is the "maps to" directive.).

The second vulnerability allows the spoofing of any i.p. address by the user controlable "Client-Ip" HTTP header.

The third vulnerability is a trivial directory traversal vulnerability within the task section of the admin panel which allows arbitrary code execution once board administration privileges have been achieved.

Original Disclosure