Invision Power Top Site List 1.0/1.1 - 'id' SQL Injection

EDB-ID:

23868


Author:

JeiAr

Type:

webapps


Platform:

PHP

Date:

2004-03-22


source: https://www.securityfocus.com/bid/9945/info

It has been reported that Top Site List may be prone to an SQL injection vulnerability that may allow remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. The issue exists due to insufficient sanitizing of the 'id' URI parameter when using the 'comments' feature in 'index.php' script. 

Invision Power Top Site List versions 1.1 RC 2 and prior are reported prone to this issue.

index.php?act=comments&id=[Evil_Query]