IPB 2.1.7 Security Update (Low and Medium Risk)

[tomb]

I'm still using IPB 2.1.4 how can I easily upgrade to the latest version?

[bfarber]

Please submit a ticket and our technicians will be glad to assist. :)

[tdcool]

How can I get this update? I have IPB 2.0 installed but the link to update from the admin panel isn't working, it says forbidden. Please could I have an update file from 2.0 to this new version.

[bfarber]

You can download it in your client area.

[stlbill]

Hi all:

A forum I frequent received a SPAM message/topic today. I'm wondering if you guys are aware of any injection attack that is in the wild? Something involving manipulated post data or URL manipulation for example. He's on 2.1.7, but I can't see the specific patch level. I'm sure if I wanted to I could fingerprint the patch level eventually, but it isn't worth that much time. I'm not an admin of the forum, just a friend who used to run an IPB of my own... :thumbsup:

Before you flame... I read around a bit and searched here for some keywords I thought would return helpful information.


Thanks in advance!

-Bill

[ellawella]

Why would an injection vulnerability be required in order for someone to post spam? :huh:

Hence, FLAME! :devil:

[armyofone]

I too was hit this morning. Trying to figure out what and how it happened. Every time a user types "he" it is replaced with

[size=3][b]Free [url=http://warezasaur.us/forum/]Warez at WAREZASAUR.US[/url][/b][/size] [size=3][b]Free [url=http://warezasaur.us/forum/]Warez at WAREZASAUR.US[/url][/b][/size]

My forum is also sending out emails to all members with this:

Hey,

I just wanted to inform you of Warezasaur.us (http://warezasaur.us/forum/). Its a great new warez site with tons of downloads. best is its free. completely. movies games music mp3 books software.. everything. Check it out at Warezasaur.us (http://warezasaur.us/forum/)

Warezasaur.us (http://warezasaur.us/forum/)

Anyone have any ideas? I can not figure out how this happened.

[Michael]

Submit a ticket in your client center, or post in the "Help, I've been hacked!" forum at IPSBeyond, this topic is just for discussion about this particular security patch.

[nightfox_pc_asst]

What is also not soo surprising is that they are using IPB 2.1.7 board to promote warez....

Hopefully IP will shut down this site or at least pull thier licence if they even have one.

[forums.bd]

I think this is the suitable topic to raise this question.

Why isn't there a "logout" option in the admin panel?

I logged on normally with my admin account. then I went to the admin cp. I close the admin cp.
logged out from the forum as well. I clear the browser history, cookies, temp files and stuffs.
However, in the admin panel, I copied and saved the address.

So after logging out from forum and clearing browser cookies, history, temps , I paste the address.
and guess what?

I'm in the admin panel!!!!!

You only have to copy the following..

http://yoursite.com/forum/admin.php?adsess=fe70c5139c4ea80b151e0a1ed9810f69&section=admin

So, what's up with that?

(by the way, I have changed the adsess numbers. don't even try it on my site. lol)

[Michael]

Actually, this would be the complete wrong topic to ask such a question, this topic is to respond to this specific security update.

[bfarber]

That's because the acp does not work off cookies, or temp files, or anything else.

Your IP gets binded to the session and it's stored in the db - for 15 minutes, you can access the acp if you stay active (once you are inactive for over 15 minutes, your session is dead, and won't be usable any longer). As stated - it can only be used by your IP (assuming you don't disable this security check for one reason or another).

[RawkBob]

There is a logout in 2.2's acp :)