IP.Board 2.0.0 to 2.1.7 Security Notice

[IPS News]

Reference: http://forums.invisionpower.com/index.php?showtopic=229129

[TestingSomething]

What I don't understand is if this is a security problem, why does this site have debug mode on and most other sites i go to, I see it as on. And to me personally it has no value to just use it every once in a while. I like seeing hw the times change, where I know better when to tell my host things are slower than normal.

[Michael]

This site does not have the debug mode on, it has the debug level set to 1. It's more important that set the debug mode to off than you set the debug level to 0.

[TestingSomething]

Oh, ok. Although it does still suggest changing it to level 0....

[Michael]

Yeah, I'm not sure why though, setting the debug mode to No seems to be sufficient.

[TestingSomething]

What exactly "is" debug mode? I always just glanced past it as needing to be set to ON for debug level 1 to show. I didn't realize it was something different.

[bfarber]

If you have debug level set to show sql queries at the bottom of the page, the same vulnerabilities still exist. So set the debug level low enough that SQL queries don't show on the page.

[TestingSomething]

Well I have it at 1, so it doesn't show those. ANy that would be shown when they click on the query count are too general to harm aren't they? They are just telling table names which things are selected from. But who knows.... I would like to keep it on level 1, but obviously only if it is not a vulnerability.

[TestingSomething]

Nevermind. I see now, when debug mode is turned off, clicking the query count wont even show the queries.

[gel]

debug level set to 1 would be a problem?

[TestingSomething]

No, that should not be a problem whatsoever. I don't know why it said change it to 0. It appears to me that the only info they get by it being at level 1 is the NUMBER of queries. So I sure don't see how that can be any problem.

[bfarber]

Ok, there appears to be some confusion here.

Enable SQL Debug Mode

You want to set this setting to "No". If it is on "Yes" regardless of the debug level, you can add &debug=1 to the page to see the SQL queries. That is where the insecurity comes in. It's working as intended, but you don't want this functionality available on your live site.

Debug level

This controls the debug information shown at the footer of your board.

You can safely set this to a 0 or a 1. Neither will show harmful information, and does not affect the above-mentioned SQL Debug Mode setting.

Setting this to a 2 shows GET and POST information. Not horribly sensitive, but on a live site, why would you want this on anyways? I don't recommend this for a live site.

Setting this to a 3 shows all of the above plus the SQL queries being run, thus you are still in the same boat as if youhad the SQL Debug Mode turned on. Do not leave this on a 3 on a live site.

[MindTooth]

I think this exploit was used ti crack a norwegian board yesterday. Damn jerks that do this...

[Charles]

It's not really an exploit so much. By leaving debug modes enabled, the software will politely report all the information to and from the database and such. All you have to do is view this information and possibly use it in a way that you should not.

More a case of knowing information you should not know.

[Carlson-online]

yeah i got hacked last night, dunno if it was this but somebody requested a password reminder email on my admin username email to be sent, and somehow managed to get in, change my Password and delete all my forums!
FFrrys was the groups name

[kamasheto]

Nobody ever said this issue was quite risky to the extent premature jerks can have admin access anytime they like! >.<

[RawkBob]

Nobody ever said this issue was quite risky to the extent premature jerks can have admin access anytime they like! >.<

yes they did...

While the SQL Debug tool is very useful, leaving it enabled when not in use poses a significant security risk. By design, the tool displays all data passing between our software and your database and therefore a malicious user could view potentially sensitive data and use that data to gain unauthorized access.

[andjelina1]

please tell me ..I use ipb forum 2.1.7
and I make back up...but I don"t know how install that file???

my back up is save on my pc..and what I can do with this file

Im a newbie...you see...

I know install or upload skin on forum..but back up...no,no,no and no

please tel me like a stupid girl...that I am :blush:

step by step

ths

[bfarber]

Please submit a ticket at http://invisionpower.com/customer for support.