Invision Power Board 1.3.1 and earlier SQL Injection Vulnerabilities

Invision Power Board is a widely used WEB-based program.

The Invision Power Board has the input verification vulnerability. Remote attackers may exploit this vulnerability to execute SQL injection attacks.

Because user data cannot be properly filtered, attackers may execute SQL injection attacks on the host by inserting SQL commands in the st parameter.

Affected Systems:
Invision PS Invision Board 1.3.1 Final
Invision PS Invision Board 1.3 Final
Invision PS Invision Board 1.3
Invision PS Invision Board 1.1.2
Invision PS Invision Board 1.1.1
Invision PS Invision Board 1.0.1
Invision PS Invision Board 1.0

Test method:

Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http: // localhost/forums/index. php? Act = Members & max_results = 30 & filter = 1 & sort_order = asc & sort_key = name & st = SQL _INJECTION

Temporary solution:
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
* Add the following code in line 3 of/uploads/sources/memberlist. php:
If (! Is_numeric ($ this-> first )){
$ This-> first = "0 ";
}
Vendor patch:
Invision PS
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.invisionboard.com/