Well once again our IPB board is being attacked and sure enough 2.3.5 has several vulnerabilities.

[Code removed]

Your own fault if you do not keep upto date with security patches.

http://forums.invisionpower.com/index.php?showtopic=276512

Yeah lets post an exploit for a board. Thats smart.

Dude, update and don't post the exploit.

Such a long complaint and post weeks after the 2.3.6 was released. I guess you didn't get the Memo (in you ACP landing page).

I'm not sure if that's a valid copy and paste of the actual exploit, but I reported this post just in case.

This was pre 2.3.6 fixed with a security patch to xmlout.php

With reference to the comment about 'better written code': unfortunately the nature of the web and the complexity of any web software means that hackers will find exploits if given enough time. This may be directly through bad sanitizing, or via XSS or via the underlying technologies such as PHP, MySQL, Unix, etc. The best we can do is write defensive code and review the code regularly. Both of which we do.

Check out any large software project. They patch security releases too. Even Microsoft with its billion dollar budget isn't immune as anyone who uses Windows will attest.

Yeah lets post an exploit for a board. Thats smart.

Dude, update and don't post the exploit.

A person who needs to come to invision site to copy or get the exploits , wont be able to use the exploit, if thats his level of thinking,
and if he is that smart. Nevertheless I dont condone either such acts.

Your own fault if you do not keep upto date with security patches.

http://forums.invisionpower.com/index.php?showtopic=276512

Uh dude you should read something and know something about what you read before commenting... our board is patched with the xmlout fix, unfortunately that is a bandaid to multiple vulnerabilities that I posted. The XMLout patch does not prevent the use of redirection hijacking with the admin.php file, the xmlout patch does not change the fact that user input is not properly sanitized leaving a hole for SQL injection.

Such a long complaint and post weeks after the 2.3.6 was released. I guess you didn't get the Memo (in you ACP landing page).

2.3.6 Says nothing about being a security enhancement it only states that it improved captcha which is a Spam fighting method

Uh dude you should read something and know something about what you read before commenting... our board is patched with the xmlout fix, unfortunately that is a bandaid to multiple vulnerabilities that I posted. The XMLout patch does not prevent the use of redirection hijacking with the admin.php file, the xmlout patch does not change the fact that user input is not properly sanitized leaving a hole for SQL injection.

2.3.6 Says nothing about being a security enhancement it only states that it improved captcha which is a Spam fighting method

If someone wants to take down your board, he can do It in a million ways. Don’t blame ipb for that.

If someone wants to take down your board, he can do It in a million ways. Don

Uh dude you should read something and know something about what you read before commenting... our board is patched with the xmlout fix, unfortunately that is a bandaid to multiple vulnerabilities that I posted. The XMLout patch does not prevent the use of redirection hijacking with the admin.php file, the xmlout patch does not change the fact that user input is not properly sanitized leaving a hole for SQL injection.

2.3.6 Says nothing about being a security enhancement it only states that it improved captcha which is a Spam fighting method

Just like everytime someone makes these kind of claims you're making, if what you're saying about the latest versions having so many exploits is true, we'd be hearing a lot more users reporting it. If the software had this many actual vulnerabilities in it, wouldn't sites like this one or other large sites using IPB already have been compromised? If you think there actually are these existing exploits, open a ticket in your client center or use one of the other means of contacting IPS to let them know about them. If they are valid, IPS will patch them, if not, then you evidently got exploited through some other means.

By the way, good way to secure your admin.php is simply to change the name of the file to something else.

As sad as that is, it's true. = (

but no matter what, you always have you backup :thumbsup:
the only way to truly kill some website, is to take over his domain name.

By the way, good way to secure your admin.php is simply to change the name of the file to something else.

If you've changed the admin directory name, then you don't even need the admin.php file at all anymore. In fact, I'm not even sure why it's still included in IPB.

If you've changed the admin directory name, then you don't even need the admin.php file at all anymore. In fact, I'm not even sure why it's still included in IPB.

Personally I deleted it,


As far as the comment about doubting the existence of the vulnerabilities, I posted a very clear step by step outline of each vulnerability. Why was our site targeted? well being one of the largest network security sites running IPB we tend to be a high target as each IPB vulnerability is found. The reason for my post was that though a small part of the vulnerabilities (XMLOUT) were released to milworm the rest were not and I was bringing it to Invision's attention.

Please send me said step-by-step instructions. I would be very interested in seeing them.

To my knowledge there are no current unpatched vulnerabilities.