Search | Research | Contact Us Tuesday January 17, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 When Small Mistakes Can Cause Big Problems
  7 Multiple Vulnerabilities In phpWebsite
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Invision Gallery SQL Injection Vulnerabilities
March 22, 2022
Vendor : Invision Power Services
URL : http://www.invisiongallery.com
Version : Invision Gallery 1.0.1
Risk : SQL Injection Vulnerabilities
BID : http://www.securityfocus.com/bid/9944


Description:
Invision Gallery is a fully featured, powerful gallery system that is easy and fun to use! It plugs right into your existing Invision Power Board to create a seamless browsing experience for the users of your forum. We've taken many of the most popular feature requests from our customers and integrated them into this product.

SQL Injection Vulnerability:
Invision Gallery seems to come up very short concerning validation of user supplied input. It is vulnerable to a number of SQL Injection vulnerabilities. Also, because Invision Gallery is integrated into Invision power Board it is VERY much possible for an attacker to use the vulnerabilities in Invision Gallery to affect the Invision Power Board which it resides on. Most of the non validated input that allow for the injections take place right in the middle of a WHERE statement making them that much easier to exploit. Lets look at an example error.

mySQL query error: SELECT * FROM ibf_gallery_categories WHERE 
id=[Evil_Query]
mySQL error: You have an error in your SQL syntax.  Check the manual 
that corresponds to your MySQL server version for the right syntax to 
use near '[Evil_Query]' at line 1
mySQL error code: 
Date: Sunday 21st of March 2004 11:28:18 AM

As we can see from this it would be of little difficulty for any attacker to execute arbitrary requests. For example pulling the admin hash and/or possibly taking admin control over an affected Invision Gallery or Invision Power Board installation. Here are some example urls that could be exploited by an attacker.

index.php?act=module&module;=gallery&cmd;=si&img;=[SQL]
index.php?act=module&module;=gallery&cmd;=editimg&img;=[SQL]
index.php?act=module&module;=gallery&cmd;=ecard&img;=[SQL]
index.php?act=module&module;=gallery&cmd;=moveimg&img;=[SQL]
index.php?act=module&module;=gallery&cmd;=delimg&img;=[SQL]
index.php?act=module&module;=gallery&cmd;=post&cat;=[SQL]
index.php?act=module&module;=gallery&cmd;=sc&op;=user&sort;_key=[SQL]
index.php?act=module&module;=gallery&cmd;=sc&op;=user&sort;_key=dateℴ_key=[SQL]
index.php?act=module&module;=gallery&cmd;=favs&op;=add&img;=[SQL]
index.php?act=module&module;=gallery&cmd;=slideshow&cat;=[SQL]
index.php?act=module&module;=gallery&cmd;=user&user;=[SQL]&op;=view_album&album;=1
index.php?act=module&module;=gallery&cmd;=user&user;=[SQL]
index.php?act=module&module;=gallery&cmd;=user&user;=1&op;=view_album&album;=[SQL]

Some of these are easier to exploit than others obviously, but the large number of SQL Injection possibilities definitely makes it that much easier for an attacker to get results from these issues.

Solution:
The Invision Power Services team were contacted immediately and hopefully a fix will be available soon since this is an application that cost users money to use.

Credits:
James Bercegay of the GulfTech Security Research Team.