[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Invision Power Board <= 3.0.4 LFI and <=3.0.4 and <=2.3.6 SQL Injection
# Published : 2009-12-04
# Author : Dawid Golunski
# Previous Title : 427BB Fourtwosevenbb <= 2.3.2 SQL Injection Exploit
# Next Title : UBB.threads 7.5.4 2 Multiple File Inclusion Vulnerabilities
=============================================
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object
oriented code, highly-optimized SQL queries, and the fast PHP engine. A
comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and
perform a host of other options through the user control panel.
III. INTRODUCTION
-------------------------
For a good understanding of the vulnerabilities it is necessary to be familiar
with the way IPB handles input data. Below is a quick trace of input
validation process. The code snippets come from IPB version 3.0.4.
line | file: admin/sources/base/ipsRegistry.php
352 | static public function init()
353 | {
... |
... |
462 | IPSLib::cleanGlobals( $_GET );
463 | IPSLib::cleanGlobals( $_POST );
464 | IPSLib::cleanGlobals( $_COOKIE );
465 | IPSLib::cleanGlobals( $_REQUEST );
466 |
467 | # GET first
468 | $input = IPSLib::parseIncomingRecursively( $_GET, array() );
469 |
470 | # Then overwrite with POST
471 | self::$request = IPSLib::parseIncomingRecursively( $_POST, $input );
... |
The init() function cleans the input data passed via methods like GET, POST or
others at the start of each request to the forum before any of the input
variables are processed.
Let's look into sanitization performed by cleanGlobals function:
line | file: admin/sources/base/core.php
1644 | static public function cleanGlobals( &$data, $iteration = 0 )
1645 | {
... |
1654 | foreach( $data as $k => $v )
1655 | {
1656 | if ( is_array( $v ) )
1657 | {
1658 | self::cleanGlobals( $data[ $k ], ++ $iteration );
1659 | }
1660 | else
1661 | {
1662 | # Null byte characters
1663 | $v = str_replace( chr('0') , '', $v );
1664 | $v = str_replace( "