header-logo
Suggest Exploit
vendor:
Invision Power Board
by:
Unknown
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Invision Power Board
Affected Version From: 1.3.1 Final
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:invision_power_services:invision_power_board:1.3.1
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

SQL Injection in Invision Power Board ‘ssi.php’ script

Invision Power Board's 'ssi.php' script is prone to an SQL injection vulnerability. Attackers can exploit this vulnerability by passing SQL statements to the underlying database through the script. Depending on the underlying database, this vulnerability can result in data corruption or theft, execution of commands or procedures on the database server, or exploitation of other vulnerabilities in the database.

Mitigation:

It is recommended to sanitize and validate user input before using it in SQL queries. Invision Power Board should release a patch or update to address this vulnerability.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10511/info

Invision Power Board is reported prone to an SQL injection vulnerability in its 'ssi.php' script.

Due to improper filtering of user supplied data, 'ssi.php' is exploitable by attackers to pass SQL statements to the underlying database.

The impact of this vulnerability depends on the underlying database. It may be possible to corrupt/read sensitive data, execute commands/procedures on the database server or possibly exploit vulnerabilities in the database itself through this condition.

Version 1.3.1 Final of Invision Power Board is reported vulnerable. Other versions may also be affected as well.

*** There have been conflicting reports stating the the vulnerable variable only accepts integer values and not arbitrary strings. 

http://www.example.com/ssi.php?a=out&type=xml&f=0)[SQL-INJECTION]