Invision Gallery is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
For security reasons the exploit and further details won't be posted here. I am not familiar with this forum software or this web site, so this was the easiest way for me to let you guys know.
Full Version: Invision Gallery Index.PHP SQL Injection Vulnerability
Whereas there are no 'known' exploits, if you believe you have found one, it is best PM'ing a member of the Invision Staff and they will be able to sort it from there, but you were right in not making it public 
What I wish is that someone would ever answer me on steps to securing things to begin with. Every time I ask, I get ignored on ways to prevent injections in general, not necessarily only in IPB.
QUOTE (BASHERS33 @ Jan 23 2008, 01:14 PM) 
What I wish is that someone would ever answer me on steps to securing things to begin with. Every time I ask, I get ignored on ways to prevent injections in general, not necessarily only in IPB.
If it's heading towards the database, clean it. Cast numbers to their type via (int), (float), etc, run a string through a character cleaner. Especially make sure that " and ' are stripped out, along with `, hex codes, jscript ( unless it's a template ).
QUOTE (Adam Kinder @ Jan 23 2008, 12:27 PM)
If it's heading towards the database, clean it. Cast numbers to their type via (int), (float), etc, run a string through a character cleaner. Especially make sure that " and ' are stripped out, along with `, hex codes, jscript ( unless it's a template ).
Thanks.
As far as numbers I do those properly (I think).
Actually when modding for IPB, I am usually unsure whether Invision's parser itself is going to be enough to clean everything up or not. For instance if something is entered via the editor (but in a modification which uses it), is anything going to automatically be secured since it goes through the parser file of IPB? Anything using the parser would be secured?
If so though, I don't see how there can then be an exploit even in gallery.
QUOTE (Alεx @ Jan 23 2008, 07:14 PM)
Whereas there are no 'known' exploits, if you believe you have found one, it is best PM'ing a member of the Invision Staff and they will be able to sort it from there, but you were right in not making it public
I've contacted JasonIPS
Thank you for reporting the exploit. To ease people's fears which will undoubtedly arise from this report, here's the official report
http://www.securityfocus.com/bid/20327/exploit
This issue was fixed with the release of Gallery 2.1.0, which happened in December of 2006.
I have emailed securityfocus to ask them to update the "Solution" for this particular report.
http://www.securityfocus.com/bid/20327/exploit
This issue was fixed with the release of Gallery 2.1.0, which happened in December of 2006.
I have emailed securityfocus to ask them to update the "Solution" for this particular report.
QUOTE (bfarber @ Jan 23 2008, 08:48 PM)
Thank you for reporting the exploit. To ease people's fears which will undoubtedly arise from this report, here's the official report
http://www.securityfocus.com/bid/20327/exploit
This issue was fixed with the release of Gallery 2.1.0, which happened in December of 2006.
I have emailed securityfocus to ask them to update the "Solution" for this particular report.
http://www.securityfocus.com/bid/20327/exploit
This issue was fixed with the release of Gallery 2.1.0, which happened in December of 2006.
I have emailed securityfocus to ask them to update the "Solution" for this particular report.
Quite strange that they're allowing reposts of existing / old issues. It looked up to date and I have been able to reproduce the two security holes in the report today. Though for the version reported, not on the latest of course. At vBulletin we had the same problem with SF where the last 15 reports were either bogus or 3 years old. I am glad the matter has been taken serious and the problem resolved. The report looked like a serious issue, and was listed on their frontpage today, and there was no announcement on this forum, hence why I considered reporting it just in case. Thanks for the follow up. I hope people are smart enough to upgrade to the latest version.
For reference, could you please link me to the announcement from 2006 where IPS reports it as resolved?
Yes, that looks right. This was over a year ago so I'm vague on the details - but the original report was an SQL injection with the rating routine, and we patched it and released an update.
For everybody that is still worried, you could always upgrade to the latest gallery if you haven't already.
They just released a 'maintenance' release I see: http://forums.invisionpower.com/index.php?showtopic=268988
They just released a 'maintenance' release I see: http://forums.invisionpower.com/index.php?showtopic=268988
Hummm, these two security holes affects IP.Gallery 2.2.x branch? (v2.2.0 and 2.2.1)
No it doesn't as Brandon said it was fixed back in 2005.
The release made yesterday has been planned and has been beta tested on this forum for a couple of weeks now.
The release made yesterday has been planned and has been beta tested on this forum for a couple of weeks now.
QUOTE (maxpax @ Jan 26 2008, 08:38 AM)
No it doesn't as Brandon said it was fixed back in 2005.
The release made yesterday has been planned and has been beta tested on this forum for a couple of weeks now.
He siad 2006.The release made yesterday has been planned and has been beta tested on this forum for a couple of weeks now.
The issue reported was fixed near the end of 2006 (so, well over a year ago). If you are running Gallery 2.1.0 or higher you have nothing to worry about with regards to the exploit linked above.
2.2.2 is a bug-fix only release (there are no security fixes in it)
2.2.2 is a bug-fix only release (there are no security fixes in it)
Okay, perfect! Thanks Brandon.
QUOTE (bfarber @ Jan 23 2008, 11:48 AM)
http://www.securityfocus.com/bid/20327/exploit
This issue was fixed with the release of Gallery 2.1.0, which happened in December of 2006.
I have emailed securityfocus to ask them to update the "Solution" for this particular report.
This issue was fixed with the release of Gallery 2.1.0, which happened in December of 2006.
I have emailed securityfocus to ask them to update the "Solution" for this particular report.
Do you think you can KNOCK a bit harder?
QUOTE
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
http://www.securityfocus.com/bid/20327/solution
http://www.securityfocus.com/bid/20327/solution
morons I tell ya
I just emailed them a few days ago. How quickly (or whether they do at all, really) update the report I have no control over. 
Very good, thanks for the continued effort!
IP.Gallery supports both GD-based image manipulation and ImageMagik. IP.Gallery allows you to completely control how your software will display the images to your users, such as whether or not to display a random sampling of the images and whether or not you wish to display the users who are browsing IP.Gallery. No one knows better how your site should present it's content to your visitors, which is why IP.Gallery lets you choose how it should be done.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.