| VID |
21615 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Invision Power Board, according to its version number, has a privilege escalation vulnerability. Invision Power Board is a PHP-based Web forum software package, distributed by Invision Power Services, Inc.. Invision Power Board versions 1.0 through 2.0.4 could allow a remote authenticated attacker to gain elevated privileges, caused due to an error when deleting user groups. A remote authenticated attacker with non-root administrator privileges could exploit this vulnerability to become part of the root administrator group without providing sufficient authentication credentials. Root administrator privileges have complete access to the application and the underlying database.
* Note: This check solely relied on the version number of the Invision Power Board installed on the remote web server to assess this vulnerability, so this might be a false positive.
* References:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/034355.html
http://secunia.com/advisories/15545/
* Platforms Affected:
Invision Power Services, Invision Power Board versions 1.0 through 2.0.4
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of IPB (greater than 2.0.4) from the Invision Power Services Update site at http://www.invisionpower.com/apps/board/ |
| Related URL |
CVE-2005-1816 (CVE) |
| Related URL |
13797 (SecurityFocus) |
| Related URL |
20840 (ISS) |
|
