Invision Power Board 1.3 - 'SSI.php' SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1054493 漏洞类型
发布时间 2004-06-11 更新时间 2004-06-11
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/24186
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/10511/info

Invision Power Board is reported prone to an SQL injection vulnerability in its 'ssi.php' script.

Due to improper filtering of user supplied data, 'ssi.php' is exploitable by attackers to pass SQL statements to the underlying database.

The impact of this vulnerability depends on the underlying database. It may be possible to corrupt/read sensitive data, execute commands/procedures on the database server or possibly exploit vulnerabilities in the database itself through this condition.

Version 1.3.1 Final of Invision Power Board is reported vulnerable. Other versions may also be affected as well.

*** There have been conflicting reports stating the the vulnerable variable only accepts integer values and not arbitrary strings. 

http://www.example.com/ssi.php?a=out&type=xml&f=0)[SQL-INJECTION]