Invision Community Blog EID Parameter SQL Injection Vulnerability
BID:12205
Info
Invision Community Blog EID Parameter SQL Injection Vulnerability
| Bugtraq ID: | 12205 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 09 2005 12:00AM |
| Updated: | Jan 09 2005 12:00AM |
| Credit: | Discovery is credited to darkhawk matrix <[email protected]>. |
| Vulnerable: |
Invision Power Services Invision Community Blog 1.0 |
| Not Vulnerable: | |
Discussion
Invision Community Blog EID Parameter SQL Injection Vulnerability
Invision Community Blog is reported prone to SQL injection attacks. User-supplied input supplied through the 'eid' URI parameter is used in a database query without sufficient sanitization.
An attacker may leverage this issue to manipulate SQL query strings and potentially carry out arbitrary database queries. This may facilitate the disclosure or corruption of sensitive database information.
All versions of Invision Community Blog are considered vulnerable to this issue.
Invision Community Blog is reported prone to SQL injection attacks. User-supplied input supplied through the 'eid' URI parameter is used in a database query without sufficient sanitization.
An attacker may leverage this issue to manipulate SQL query strings and potentially carry out arbitrary database queries. This may facilitate the disclosure or corruption of sensitive database information.
All versions of Invision Community Blog are considered vulnerable to this issue.
Exploit / POC
Invision Community Blog EID Parameter SQL Injection Vulnerability
An exploit is not required.
The following proof of concept example is available:
http://www.example.com/forum/index.php?automodule=blog&blogid=14&cmd=showentry&eid=4%20injectionhere
An exploit is not required.
The following proof of concept example is available:
http://www.example.com/forum/index.php?automodule=blog&blogid=14&cmd=showentry&eid=4%20injectionhere
Solution / Fix
Invision Community Blog EID Parameter SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Invision Community Blog EID Parameter SQL Injection Vulnerability
References:
References:
- Invision Community Blog Product Page (Invision Power Services)
- SQL Injection Vulnerability in Invision Community Blog (darkhawk matrix
)