Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted April 30, 201014 yr A little digging into someone who's been threatening my boards has lead me to this: http://de.crypt.in/threads/50-IPB-3.0.1-SQL-Injection-Exploit is it new or did the security update for 3.0.1 fix this? Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.
April 30, 201014 yr is it new or did the security update for 3.0.1 fix this? Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished. Considering WHEN it was posted and the fact that it references v3.0.1, I would guess that it only applies to v3.0.1 and nothing after that. However, I'm not saying that it doesn't affect anything after 3.0.1, just that it's a guess. I recommend submitting a ticket in the client area with this link, so they can investigate it further.
April 30, 201014 yr This issue was already patched. Upgrade to the latest version of IPB to protect yourself.
May 2, 201014 yr Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished. I recommend submitting a ticket in the client area with this link, so they can investigate it further. He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.
May 2, 201014 yr He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license. He can always email if nothing else is available :) (as I am not sure what parts if any of the Client Center are accessible to those without a active support contract, I've never let mine expire) Ultimately, upgrading to the latest release is the sensible option too.
May 2, 201014 yr He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license. You can open tickets without an active license, just can't send it to technical assistance. Email is always another alternative.
May 3, 201014 yr If you have a security exploit, we'll gladly look at your ticket. ;) I don't think we'd ignore a security exploit report simply because you don't have an active license. We research these things even when reported from unlicensed users.
May 3, 201014 yr Yeah I found the vulnerability report somewhere and decided to see if I could actually write a full blown exploit for it. That one is particularly easy to use. :ph34r: Anyway, stay up to date and you should be safe, I usually report anything I find before I decide to have fun with it. Although, of course, I'm not the only one writing exploits out there.
Archived
This topic is now archived and is closed to further replies.