Invision Power Services IP.Board is a widely used forum available for download or as part of a fully managed hosted community package. IP.Board version 3.0.2 has been found to contain vulnerabilities in its search engine and lost password recovery engine that allows remote attackers to utilize Blind SQL injection. Thus a remote unauthenticated attacker is able to manipulate the database and fetch sensitive information, for example; admin credentials.
Credit:
The information has been provided by Noam Rathaus.
Vulnerable Systems:
* Invision Power IP.Board version 3.0.2
1) SQL Injection in "search.php"
By using unsanitized user-submitted data in a SQL query via the parameter "search_term" a remote authenticated attacker can cause IPB to execute arbitrary SQL statements on the database server.
From "admin/applications/core/modules_public/search/search.php" line ~202
public function searchResults()
{
/* Search Term */
$search_term = str_replace( """, '"', urldecode( $this->request['search_term'] ) );
$search_term = str_replace( "&", '&', $search_term );
...
/* Count the number of results */
$total_results = $this->search_plugin->getSearchCount( $search_term, '', $content_titles_only );
As seen above, a user submitted parameter "search_term" is processed using the php function "urldecode()". If an attacker uses "%2527" in the HTTP request, then "urldecode()" will receive the argument "%27" and after urldecoding it will be "'" (single quote).
Let's follow execution flow:
From "admin/applications/forums/extensions/searchPlugin.php" line ~253
public function getSearchCount( $search_term, $group_by='', $content_title_only=false ) {
...
{
/* Query the count */
$this->DB->build( array(
'select' => 'COUNT(*) as total_results',
'from' => array( 'posts' => 'p' ),
'where' => $this->_buildWhereStatement( $search_term,
$content_title_only ),
'group' => $group_by,
'add_join' => array(
...
$this->DB->execute();
The source code shows that a potentially unsafe variable "search_term" is used for building sql query.
Obviously data sanitization after using of "urldecode()" is needed, but in this case there isn't sufficient sanitization of user submitted data.
Thus a remote unauthenticated attacker is able to manipulate the database and fetch sensitive information, for example admin credentials.
2) SQL Injection in "lostpass.php"
By using unsanitized user-submitted data in a SQL query via the parameter "aid", a remote authenticated attacker can cause IP.Board to execute arbitrary SQL statements on the database server.
From "admin/applications/core/modules_public/global/lostpass.php" line ~430
public function lostPasswordValidateForm( $msg='' ) {
...
if( $this->request['uid'] AND $this->request['aid'] )
{
$in_user_id = intval( trim( urldecode( $this->request['uid'] ) ) );
$in_validate_key = trim( urldecode( $this->request['aid'] ) );
$in_type = trim( $this->request['type'] );
...
if (! IPSText::md5Clean( $in_validate_key ) )
{
$this->registry->output->showError( 'validation_key_incorrect', 10113 );
}
if (! preg_match( "/^(?:\d){1,}$/", $in_user_id ) )
{
$this->registry->output->showError( 'uid_key_incorrect', 10114 );
}
/* Attempt to get the profile of the requesting user */
$member = IPSMember::load( $in_user_id );
if( ! $member['member_id'] )
{
$this->registry->output->showError( 'lostpass_no_member', 10115 );
}
/* Get validating info.. */
$validate = $this->DB->buildAndFetch( array( 'select' => '*', 'from' => 'validating',
'where' => "member_id={$in_user_id} and vid='{$in_validate_key}'
and lost_pass=1" ) );
As seen above, the user-submitted parameter "aid" is processed using php function "urldecode()". If the attacker uses "%2527" in a GET query, then "urldecode() will receive the argument as "%27" and after urldecoding it will be "'" (single quote).
Variable "in_validate_key" is suppose to be sanitized by this function:
However, "md5Clean()" is incorrectly used in this case and therefore it is not doing it's job as expected.
So as result a remote unauthenticated attacker is able to manipulate the database and fetch sensitive information or bypass access controls.
static public function md5Clean( $text ) {
return preg_replace( "/[^a-zA-Z0-9]/", "" , substr( $text, 0, 32 ) ); }
原创文章如转载,请注明:转载自心动吧黑客BLOG [ http://www.abcxd.com/abcxd/ ]
本文链接地址:http://www.abcxd.com/abcxd/abcxdArticle/PHPoday/Invision-sql.html