https://www.exploit-db.com/exploits/23868
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-968

InvisionPowerTopSiteList1.1RC2版本及之前版本的index.php存在SQL注入漏洞。远程攻击者可以借助注释行为的id参数执行任意SQL。

source: http://www.securityfocus.com/bid/9945/info

It has been reported that Top Site List may be prone to an SQL injection vulnerability that may allow remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. The issue exists due to insufficient sanitizing of the 'id' URI parameter when using the 'comments' feature in 'index.php' script. 

Invision Power Top Site List versions 1.1 RC 2 and prior are reported prone to this issue.

index.php?act=comments&id=[Evil_Query]

来源:XF
名称:invision-id-sql-injection(15568)
链接:http://xforce.iss.net/xforce/xfdb/15568
来源:BID
名称:9945
链接:http://www.securityfocus.com/bid/9945
来源:SECTRACK
名称:1009511
链接:http://securitytracker.com/id?1009511
来源:SECUNIA
名称:11187
链接:http://secunia.com/advisories/11187
来源:BUGTRAQ
名称:20040322InvisionPowerTopSiteListSQLInjectionVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107997924117652&w;=2