| VID |
21304 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Invision Power Board package installed on the remote web server is vulnerable to a SQL Injection Vulnerability via 'ssi.php' script.
Invision Power Board is a PHP-based Web forum software package, distributed by Invision Power Services, Inc. The version 1.3.1 Final of Invision Power Board is vulnerable to a SQL Injection Vulnerability, caused by improper filtering of user supplied data in the 'ssi.php' script. By passing malicious SQL commands to the backend database via the 'ssi.php' script as the following;
http://[target_server]/ssi.php?a=out&type=xml&f=0)[SQL-INJECTION]
a remote attacker could delete or read sensitive data, execute commands o procedures on the backend database.
* References:
http://archives.neohapsis.com/archives/bugtraq/2004-06/0116.html
* Platforms Affected:
Invision Power Board 1.3.1 Final
Any operating system Any version |
| Recommendation |
No upgrade or patch for this vulnerability available as of June 2004. |
| Related URL |
(CVE) |
| Related URL |
10511 (SecurityFocus) |
| Related URL |
16376 (ISS) |
|
