MMG Issue

Date July 7, 2006

This is a message from MMG admin (Jason) in TalkGold:

Hi everyone. Sorry about this. It seems we are dealing with the same hacker that was doing this to talkgold a few days ago. It seems they are making posts on the forum that allow them to inject code on the forum and infect unpatched people with these viruses. I was able to remove it in about 2 or 3 minutes so the damage should have been very minimal.

I think right now is fixed. It seems that on last month there have been many bugs/exploits in IPB.

July 4:

Discovered By: CrAzY CrAcKeR

==============================

==

Example:-

/index.php?act=ketqua&code=showcat&idcat=[SQL]

/index.php?act=Attach&type=post&id=[SQL]

/index.php?act=Profile&CODE=[SQL]

/index.php?act=ketqua&code=[SQL]

/coins_list.php?member_id=[SQL]

/index.php?act=Login&CODE=[SQL]

/index.php?act=Help&CODE=[SQL]

/index.php?act=ref&id=[SQL]

Invision Power Board Index.PHP Act Parameter SQL Injection Vulnerability
BugTraq ID: 18782
Remote: Yes
Date Published: 2006-07-03
Relevant URL: http://www.securityfocus.com/bid/18782
Summary:
Invision Power Board is prone to an SQL-injection vulnerability. This issue is
due to a failure in the application to properly sanitize user-supplied input
before using it in an SQL query.

Successful exploitation could allow an attacker to compromise the application,
access or modify data, or exploit vulnerabilities in the underlying database
implementation.

Version 1.3 Final is affected; other versions may also be vulnerable to this
issue.

June 20:

Invision Power Board Admin.PHP Cross-site Scripting Vulnerability BugTraq
ID: 18450
Remote: Yes
Date Published: 2006-06-15
Relevant URL: http://www.securityfocus.com/bid/18450
Summary:
Invision Power Board is prone to a cross-site scripting vulnerability. This
issue is due to a failure in the application to properly sanitize user-supplied
input.

An attacker may use this issue to have arbitrary script code execute in the
browser of an unsuspecting user in the context of the affected site. This may
let the attacker steal cookie credentials; other attacks are also possible.

Category Posted in Internet

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>