Search | Research | Contact Us Tuesday January 17, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 When Small Mistakes Can Cause Big Problems
  7 Multiple Vulnerabilities In phpWebsite
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Invision Gallery Vulnerabilities
June 09, 2022
Vendor : Invision Power Services
URL : http://www.invisiongallery.com
Version : All Versions Prior To 1.3.1
Risk : Multiple Vulnerabilities


Description:
Invision Gallery is a community based gallery software that can be integrated into Invision Power Board. There are several security issues in Invision Gallery that may allow for an attacker to force a user into unknowingly / unwillingly perform actions on behalf of an attacker, or an attacker may influence SQL queries and retrieve sensitive information contained within the underlying database. An upgrade has been released for several weeks now and all users should upgrade their gallery installations as soon as possible.


Cross Site Request Forgery:
The proper precautions are not taken when dealing with certain actions, and as a result an attacker can force a user to delete images, and albums by having them simply follow a malicious link, or by including the link in an embedded tag such as img or iframe.

http://localhost/index.php?act=module&module;=gallery&cmd;=albums&op;=del&album;=2
http://localhost/index.php?act=module&module;=gallery&cmd;=delimg&img;=2

The above links could be used to effectively delete an album and an image. This issue arises as a result of not properly adhering to RFC 2616 9.1.1


SQL Injection:
There are a couple of SQL Injection issues in Invision Gallery. The first vulnerability I will talk about presents itself when editing comments.

http://localhost/index.php?act=module&module;=gallery&cmd;=editcomment&comment;=
-99%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,name,0,0,0%20FROM%20ibf_members%20
WHERE%201/*&img;=1

The above example will select a users name from the database, but this could just as easily be a password hash. The other SQL Injection issue is pretty dangerous and presents itself when voting on a photo. Basically an attacker may include arbitrary SQL statements instead of a rating, and influence an UPDATE query which can be very dangerous.


Solution:
Updated version of the Invision Gallery software have been available for many weeks now. Users should upgrade as soon as possible. Special thanks to the guys at Invision for fixing these issues so quickly :)


Credits:
James Bercegay of the GulfTech Security Research Team