3.0.4 Local PHP File Inclusion and SQL Injection

awiedman · December 7, 2009

http://seclists.org/bugtraq/2009/Dec/46

How long till a patch is released?

bgk · December 7, 2009

http://community.invisionpower.com/topic/299835-turn-around-time-on-published-exploits/

Summary: Will be addressed in 3.0.5 to be released this week!

bfarber · December 7, 2009

The advisory of course sounds scary, but realistically both issues are relatively mitigated already. The SQL injection requires a moderator account (or above) to perform, and the local file inclusion requires that a malicious script has already been uploaded to your server. We have been verifying the patches over the weekend and they've proved stable. We decided to simply roll them into 3.0.5 and release 3.0.5 this week, instead of making a separate release for the patches this week.

envonge · December 8, 2009

The advisory of course sounds scary, but realistically both issues are relatively mitigated already. The SQL injection requires a moderator account (or above) to perform, and the local file inclusion requires that a malicious script has already been uploaded to your server. We have been verifying the patches over the weekend and they've proved stable. We decided to simply roll them into 3.0.5 and release 3.0.5 this week, instead of making a separate release for the patches this week.

Is there going to be something released for 2.3.6 too?

Five Invision Community 5 features your team will love

Five Invision Community 5 features your members will love

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

3.0.4 Local PHP File Inclusion and SQL Injection

Recommended Posts

awiedman

bgk

bfarber

envonge

Archived

Recently Browsing 0 members

More