Jump to content

IP.Board 2.0.0 to 2.1.7 Security Notice


Guest IPS News

Recommended Posts

What I don't understand is if this is a security problem, why does this site have debug mode on and most other sites i go to, I see it as on. And to me personally it has no value to just use it every once in a while. I like seeing hw the times change, where I know better when to tell my host things are slower than normal.

Link to comment
Share on other sites

Ok, there appears to be some confusion here.

Enable SQL Debug Mode


You want to set this setting to "No". If it is on "Yes" regardless of the debug level, you can add &debug=1 to the page to see the SQL queries. That is where the insecurity comes in. It's working as intended, but you don't want this functionality available on your live site.

Debug level


This controls the debug information shown at the footer of your board.



You can safely set this to a 0 or a 1. Neither will show harmful information, and does not affect the above-mentioned SQL Debug Mode setting.

Setting this to a 2 shows GET and POST information. Not horribly sensitive, but on a live site, why would you want this on anyways? I don't recommend this for a live site.

Setting this to a 3 shows all of the above plus the SQL queries being run, thus you are still in the same boat as if youhad the SQL Debug Mode turned on. Do not leave this on a 3 on a live site.
Link to comment
Share on other sites

  • Management

It's not really an exploit so much. By leaving debug modes enabled, the software will politely report all the information to and from the database and such. All you have to do is view this information and possibly use it in a way that you should not.

More a case of knowing information you should not know.

Link to comment
Share on other sites

Nobody ever said this issue was quite risky to the extent premature jerks can have admin access anytime they like! >.<



yes they did...

While the SQL Debug tool is very useful, leaving it enabled when not in use poses a significant security risk. By design, the tool displays all data passing between our software and your database and therefore a malicious user could view potentially sensitive data and use that data to gain unauthorized access.

Link to comment
Share on other sites

  • 3 weeks later...

please tell me ..I use ipb forum 2.1.7
and I make back up...but I don"t know how install that file???

my back up is save on my pc..and what I can do with this file

Im a newbie...you see...

I know install or upload skin on forum..but back up...no,no,no and no

please tel me like a stupid girl...that I am :blush:

step by step

ths

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...