Invision Power Board Multiple Local File Include Vulnerabilities

Bugtraq ID:	52998
Class:	Input Validation Error
CVE:	CVE-2012-2226
Remote:	Yes
Local:	No
Published:	Apr 12 2012 12:00AM
Updated:	Apr 13 2012 06:00PM
Credit:	Janek Vind
Vulnerable:	Invision Power Services Invision Power Board 3.3 Invision Power Services Invision Power Board 3.2.3 Invision Power Services Invision Gallery 4.2.1 Invision Power Services Invision Gallery 4.2
Not Vulnerable:	Invision Power Services Invision Power Board 3.3.1

Invision Power Board Multiple Local File Include Vulnerabilities

Invision Power Board is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

Invision Power Board 3.3.0 and 3.2.3 are vulnerable; other versions may also be affected.

Invision Power Board Multiple Local File Include Vulnerabilities

Attackers can exploit these issues with a browser.

The following example code is available:

• /data/vulnerabilities/exploits/52998.txt

Invision Power Board Multiple Local File Include Vulnerabilities

Solution:
Updates are available. Please see the references for details.

Invision Power Board Multiple Local File Include Vulnerabilities

References:

• Invision Power Board Homepage (Invision Power Services )
  
• IP.Board 3.3.1, IP.Blog 2.5.2, IP.SEO 1.5.2 and Updates for IP.Board 3.2.x, IP.G (Invision Power Services)
  
• [waraxe-2012-SA#086] - Local File Inclusion in Invision Power Board 3.3.0 (come2waraxe)
  
• [waraxe-2012-SA#086] - Local File Inclusion in Invision Power Board 3.3.0 (Janek Vind )