Invision Power Board 'name'参数SQL注入漏洞
BUGTRAQ ID: 31288 CNCAN ID:CNCAN-2008092307 Invision Power Board是一款基于PHP的论坛程序。 Invision Power Board不正确处理用户提交的输入,远程攻击者可以利用漏洞进行SQL注入攻击,获得敏感信息或可操作数据库。 问题是脚本对'name'参数缺少过滤,构建恶意的SQL查询作为参数数据,可更改原来的SQL逻辑,获得敏感信息。 Invision Power Services Invision Power Board 2.3.5 Invision Power Services Invision Power Board 2.3.4 Invision Power Services Invision Power Board 2.3.1 Invision Power Services Invision Power Board 2.2.2 Invision Power Services Invision Power Board 2.2.1 Invision Power Services Invision Power Board 2.2 Invision Power Services Invision Power Board 2.1.6 Invision Power Services Invision Power Board 2.1.5.2006.04.25 Invision Power Services Invision Power Board 2.1.5 .2006.03.08 Invision Power Services Invision Gallery 2.1 Invision Power Services Invision Gallery 2.0.7 Invision Power Services Invision Gallery 2.0.6 Invision Power Services Invision Gallery 2.0.3 目前没有解决方案提供: <a href=http://www.invisionpower.com/ip.dynamic/products/board/index.html...
