| VID |
21551 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Invision Power Board is vulnerable to an SQL injection vulnerability in the 'index.php' script. Invision Power Board is a PHP-based Web forum software package, distributed by Invision Power Services, Inc.. Invision Power Board versions 1.3.1 and earlier could allow a remote attacker to execute arbitrary SQL commands via the 'st' parameter to the 'index.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* Note: This check solely relied on the version number of the Invision Power Board installed on the remote web server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0136.html
http://www.securitytracker.com/alerts/2005/Apr/1013676.html
* Platforms Affected:
Invision Power Services, Invision Power Board versions 1.3.1 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of the IPB (2.0.0 or later), available from the Invision Power Services Update site at http://www.invisionpower.com/apps/board/ |
| Related URL |
CVE-2005-1070 (CVE) |
| Related URL |
13097 (SecurityFocus) |
| Related URL |
20059 (ISS) |
|
