Vulnerabilities > CVE-2006-7071 - SQL-Injection vulnerability in Invision Power Board

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
invision-power-services
nessus
exploit available
NVD
Published: 2007-03-02
Updated: 2017-10-11

Summary

SQL injection vulnerability in classes/class_session.php in Invision Power Board (IPB) 2.1 up to 2.1.6 allows remote attackers to execute arbitrary SQL commands via the CLIENT_IP parameter.

Vulnerable Configurations

Part Description Count
Application
Invision_Power_Services
6

Exploit-Db

descriptionInvision Power Board 2.1. CVE-2006-7071. Webapps exploit for php platform
fileexploits/php/webapps/2010.pl
idEDB-ID:2010
last seen2016-01-31
modified2006-07-14
platformphp
port
published2006-07-14
reporterRusH
sourcehttps://www.exploit-db.com/download/2010/
titleInvision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit
typewebapps

Nessus

NASL familyCGI abuses
NASL idINVISION_POWER_BOARD_217.NASL
descriptionAccording to its banner, the installation of Invision Power Board on the remote host reportedly fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id22089
published2006-07-24
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22089
titleInvision Power Board classes/class_session.php CLIENT_IP HTTP Header SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) 
{
  script_id(22089);
  script_version("1.16");

  script_cve_id("CVE-2006-7071");
  script_bugtraq_id(18984);
  script_xref(name:"EDB-ID", value:"2010");

  script_name(english:"Invision Power Board classes/class_session.php CLIENT_IP HTTP Header SQL Injection");
  script_summary(english:"Checks version of IPB");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is susceptible
to a SQL injection attack." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the installation of Invision Power Board on
the remote host reportedly fails to sanitize input to the 'CLIENT_IP'
HTTP request header before using it in database queries.  An
unauthenticated attacker may be able to leverage this issue to
disclose sensitive information, modify data, or launch attacks against
the underlying database. 

Note that it's unclear whether successful exploitation depends on any
PHP settings, such as 'magic_quotes'." );
  script_set_attribute(attribute:"solution", value:
"Upgrade to Invision Power Board 2.1.7 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/07/24");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/14");
 script_cvs_date("Date: 2018/06/13 18:56:27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:invisionpower:invision_power_board");
script_end_attributes();

 
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
 
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("invision_power_board_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/invision_power_board");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/invision_power_board"));
if (isnull(install)) exit(0);
matches = eregmatch(pattern:"^(.+) under (/.*)$", string:install);
if (!isnull(matches))
{
  ver = matches[1];

  if (ver && ver =~ "^([01]\.|2\.(0\.|1\.[0-6][^0-9]?))")
  {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}

References