BID:21374

Invision Community Blog EID Parameter SQL Injection Vulnerability

Info

Invision Community Blog EID Parameter SQL Injection Vulnerability

Bugtraq ID:	21374
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Nov 18 2006 12:00AM
Updated:	Dec 04 2006 06:09PM
Credit:	[email protected] is credited with the discovery of this vulnerability.
Vulnerable:	Invision Power Services Invision Community Blog 1.2.4

Not Vulnerable:

Discussion

Invision Community Blog EID Parameter SQL Injection Vulnerability

Invision Community Blog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to access sensitive data; other attacks may be possible.

Note: Successfully exploiting this issue may require specific circumstances.

Invision Community Blog 1.2.4 and prior versions are vulnerable.

Exploit / POC

Invision Community Blog EID Parameter SQL Injection Vulnerability

An attacker can exploit this issue via a web client.

The following exploit code is available:

/data/vulnerabilities/exploits/21374.txt

Solution / Fix

Invision Community Blog EID Parameter SQL Injection Vulnerability

Solution:
The vendor has released a patch to address this issue. Contact the vendor for details on obtaining and applying the appropriate updates.

References

Invision Community Blog EID Parameter SQL Injection Vulnerability

References:

Invision Community Blog Product Page (Invision Power Services)
IP.Blog 1.2.4 Security Update (IPS Management)
Invision Community Blog Mod 1.2.4 .PHP SQL Injection Vulnerability ([email protected] )
Re: Invision Community Blog Mod 1.2.4 .PHP SQL Injection ([email protected])