Jump to content

When will we see better written code?

Guest Salvia

By Guest Salvia
in Feedback

Recommended Posts

  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

With reference to the comment about 'better written code': unfortunately the nature of the web and the complexity of any web software means that hackers will find exploits if given enough time. This may be directly through bad sanitizing, or via XSS or via the underlying technologies such as PHP, MySQL, Unix, etc. The best we can do is write defensive code and review the code regularly. Both of which we do.

Check out any large software project. They patch security releases too. Even Microsoft with its billion dollar budget isn't immune as anyone who uses Windows will attest.

Cool Surfer Enthusiast

Cool Surfer

Posted
Posted

Yeah lets post an exploit for a board. Thats smart.



Dude, update and don't post the exploit.




A person who needs to come to invision site to copy or get the exploits , wont be able to use the exploit, if thats his level of thinking,
and if he is that smart. Nevertheless I dont condone either such acts.
Salvia Newbie

Salvia

Posted
Posted

Your own fault if you do not keep upto date with security patches.



http://forums.invisionpower.com/index.php?showtopic=276512


Uh dude you should read something and know something about what you read before commenting... our board is patched with the xmlout fix, unfortunately that is a bandaid to multiple vulnerabilities that I posted. The XMLout patch does not prevent the use of redirection hijacking with the admin.php file, the xmlout patch does not change the fact that user input is not properly sanitized leaving a hole for SQL injection.


Such a long complaint and post weeks after the 2.3.6 was released. I guess you didn't get the Memo (in you ACP landing page).



2.3.6 Says nothing about being a security enhancement it only states that it improved captcha which is a Spam fighting method
Stepashka Apprentice

Stepashka

Posted
Posted

Uh dude you should read something and know something about what you read before commenting... our board is patched with the xmlout fix, unfortunately that is a bandaid to multiple vulnerabilities that I posted. The XMLout patch does not prevent the use of redirection hijacking with the admin.php file, the xmlout patch does not change the fact that user input is not properly sanitized leaving a hole for SQL injection.






2.3.6 Says nothing about being a security enhancement it only states that it improved captcha which is a Spam fighting method



If someone wants to take down your board, he can do It in a million ways. Don’t blame ipb for that.
Michael Grand Master

Michael

Posted
Posted

Uh dude you should read something and know something about what you read before commenting... our board is patched with the xmlout fix, unfortunately that is a bandaid to multiple vulnerabilities that I posted. The XMLout patch does not prevent the use of redirection hijacking with the admin.php file, the xmlout patch does not change the fact that user input is not properly sanitized leaving a hole for SQL injection.






2.3.6 Says nothing about being a security enhancement it only states that it improved captcha which is a Spam fighting method


Just like everytime someone makes these kind of claims you're making, if what you're saying about the latest versions having so many exploits is true, we'd be hearing a lot more users reporting it. If the software had this many actual vulnerabilities in it, wouldn't sites like this one or other large sites using IPB already have been compromised? If you think there actually are these existing exploits, open a ticket in your client center or use one of the other means of contacting IPS to let them know about them. If they are valid, IPS will patch them, if not, then you evidently got exploited through some other means.
Stepashka Apprentice

Stepashka

Posted
Posted

As sad as that is, it's true. = (



but no matter what, you always have you backup :thumbsup:
the only way to truly kill some website, is to take over his domain name.
Michael Grand Master

Michael

Posted
Posted

By the way, good way to secure your admin.php is simply to change the name of the file to something else.


If you've changed the admin directory name, then you don't even need the admin.php file at all anymore. In fact, I'm not even sure why it's still included in IPB.
Salvia Newbie

Salvia

Posted
Posted

If you've changed the admin directory name, then you don't even need the admin.php file at all anymore. In fact, I'm not even sure why it's still included in IPB.




Personally I deleted it,


As far as the comment about doubting the existence of the vulnerabilities, I posted a very clear step by step outline of each vulnerability. Why was our site targeted? well being one of the largest network security sites running IPB we tend to be a high target as each IPB vulnerability is found. The reason for my post was that though a small part of the vulnerabilities (XMLOUT) were released to milworm the rest were not and I was bringing it to Invision's attention.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2025 IPS, Inc.
×
×
  • Create New...