Invision Power Board Multiple SQL Injection Vulnerabilities Network Vulnerability

Summary

The host is running Invision Power Board and is prone to multiple SQL Injection vulnerabilities.

Impact

Succesful exploitation will allow attackers to access and modify the backend database by injecting arbitrary SQL queries. Impact Level: Application

Solution

Apply the following patch, http://community.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/ ***** NOTE: Please ignore this warning if the above mentioned patch is already applied. *****

Insight

Tha input passed into 'search_term' parameter in search.php and in 'aid' parameter in lostpass.php is not porpperly sanitisied before being used to construct SQL queries.

Affected

Invision Power Board version 3.0.0, 3.0.1, and 3.0.2.

References

http://en.securitylab.ru/nvd/387879.php
http://www.vupen.com/english/advisories/2009/2413

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3974
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Alchemy Eye HTTP Command Execution
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
b2ePMS Multiple SQL Injection Vulnerabilities
AdPeeps 'index.php' Multiple Vulnerabilities.
ARRIS 2307 Unprotected Web Console

Take action and discover your vulnerabilities