IPS News Posted November 1, 2006 Share Posted November 1, 2006 Reference: http://forums.invisionpower.com/index.php?showtopic=229129 Link to comment Share on other sites More sharing options...
TestingSomething Posted November 1, 2006 Share Posted November 1, 2006 What I don't understand is if this is a security problem, why does this site have debug mode on and most other sites i go to, I see it as on. And to me personally it has no value to just use it every once in a while. I like seeing hw the times change, where I know better when to tell my host things are slower than normal. Link to comment Share on other sites More sharing options...
Michael Posted November 1, 2006 Share Posted November 1, 2006 This site does not have the debug mode on, it has the debug level set to 1. It's more important that set the debug mode to off than you set the debug level to 0. Link to comment Share on other sites More sharing options...
TestingSomething Posted November 1, 2006 Share Posted November 1, 2006 Oh, ok. Although it does still suggest changing it to level 0.... Link to comment Share on other sites More sharing options...
Michael Posted November 1, 2006 Share Posted November 1, 2006 Yeah, I'm not sure why though, setting the debug mode to No seems to be sufficient. Link to comment Share on other sites More sharing options...
TestingSomething Posted November 1, 2006 Share Posted November 1, 2006 What exactly "is" debug mode? I always just glanced past it as needing to be set to ON for debug level 1 to show. I didn't realize it was something different. Link to comment Share on other sites More sharing options...
bfarber Posted November 1, 2006 Share Posted November 1, 2006 If you have debug level set to show sql queries at the bottom of the page, the same vulnerabilities still exist. So set the debug level low enough that SQL queries don't show on the page. Link to comment Share on other sites More sharing options...
TestingSomething Posted November 1, 2006 Share Posted November 1, 2006 Well I have it at 1, so it doesn't show those. ANy that would be shown when they click on the query count are too general to harm aren't they? They are just telling table names which things are selected from. But who knows.... I would like to keep it on level 1, but obviously only if it is not a vulnerability. Link to comment Share on other sites More sharing options...
TestingSomething Posted November 1, 2006 Share Posted November 1, 2006 Nevermind. I see now, when debug mode is turned off, clicking the query count wont even show the queries. Link to comment Share on other sites More sharing options...
gel Posted November 2, 2006 Share Posted November 2, 2006 debug level set to 1 would be a problem? Link to comment Share on other sites More sharing options...
TestingSomething Posted November 2, 2006 Share Posted November 2, 2006 No, that should not be a problem whatsoever. I don't know why it said change it to 0. It appears to me that the only info they get by it being at level 1 is the NUMBER of queries. So I sure don't see how that can be any problem. Link to comment Share on other sites More sharing options...
bfarber Posted November 2, 2006 Share Posted November 2, 2006 Ok, there appears to be some confusion here.Enable SQL Debug ModeYou want to set this setting to "No". If it is on "Yes" regardless of the debug level, you can add &debug=1 to the page to see the SQL queries. That is where the insecurity comes in. It's working as intended, but you don't want this functionality available on your live site.Debug levelThis controls the debug information shown at the footer of your board.You can safely set this to a 0 or a 1. Neither will show harmful information, and does not affect the above-mentioned SQL Debug Mode setting.Setting this to a 2 shows GET and POST information. Not horribly sensitive, but on a live site, why would you want this on anyways? I don't recommend this for a live site.Setting this to a 3 shows all of the above plus the SQL queries being run, thus you are still in the same boat as if youhad the SQL Debug Mode turned on. Do not leave this on a 3 on a live site. Link to comment Share on other sites More sharing options...
MindTooth Posted November 2, 2006 Share Posted November 2, 2006 I think this exploit was used ti crack a norwegian board yesterday. Damn jerks that do this... Link to comment Share on other sites More sharing options...
Management Charles Posted November 2, 2006 Management Share Posted November 2, 2006 It's not really an exploit so much. By leaving debug modes enabled, the software will politely report all the information to and from the database and such. All you have to do is view this information and possibly use it in a way that you should not.More a case of knowing information you should not know. Link to comment Share on other sites More sharing options...
Carlson-online Posted November 7, 2006 Share Posted November 7, 2006 yeah i got hacked last night, dunno if it was this but somebody requested a password reminder email on my admin username email to be sent, and somehow managed to get in, change my Password and delete all my forums! FFrrys was the groups name Link to comment Share on other sites More sharing options...
kamasheto Posted November 13, 2006 Share Posted November 13, 2006 Nobody ever said this issue was quite risky to the extent premature jerks can have admin access anytime they like! >.< Link to comment Share on other sites More sharing options...
RawkBob Posted November 13, 2006 Share Posted November 13, 2006 Nobody ever said this issue was quite risky to the extent premature jerks can have admin access anytime they like! >.<yes they did...While the SQL Debug tool is very useful, leaving it enabled when not in use poses a significant security risk. By design, the tool displays all data passing between our software and your database and therefore a malicious user could view potentially sensitive data and use that data to gain unauthorized access. Link to comment Share on other sites More sharing options...
andjelina1 Posted November 29, 2006 Share Posted November 29, 2006 please tell me ..I use ipb forum 2.1.7and I make back up...but I don"t know how install that file???my back up is save on my pc..and what I can do with this fileIm a newbie...you see...I know install or upload skin on forum..but back up...no,no,no and noplease tel me like a stupid girl...that I am :blush: step by stepths Link to comment Share on other sites More sharing options...
bfarber Posted November 29, 2006 Share Posted November 29, 2006 Please submit a ticket at http://invisionpower.com/customer for support. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.