Jump to content

3.0.1 SQL Injection Exploit

Featured Replies

Posted

A little digging into someone who's been threatening my boards has lead me to this:
http://de.crypt.in/threads/50-IPB-3.0.1-SQL-Injection-Exploit
is it new or did the security update for 3.0.1 fix this?

Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.

 

is it new or did the security update for 3.0.1 fix this?



Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.



Considering WHEN it was posted and the fact that it references v3.0.1, I would guess that it only applies to v3.0.1 and nothing after that. However, I'm not saying that it doesn't affect anything after 3.0.1, just that it's a guess. I recommend submitting a ticket in the client area with this link, so they can investigate it further.

This issue was already patched. Upgrade to the latest version of IPB to protect yourself.

 

Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.





 

I recommend submitting a ticket in the client area with this link, so they can investigate it further.




He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.
 

He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.



He can always email if nothing else is available :) (as I am not sure what parts if any of the Client Center are accessible to those without a active support contract, I've never let mine expire)

Ultimately, upgrading to the latest release is the sensible option too.
 

He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.



You can open tickets without an active license, just can't send it to technical assistance. Email is always another alternative.

If you have a security exploit, we'll gladly look at your ticket. ;) I don't think we'd ignore a security exploit report simply because you don't have an active license. We research these things even when reported from unlicensed users.

Yeah I found the vulnerability report somewhere and decided to see if I could actually write a full blown exploit for it.

That one is particularly easy to use. :ph34r:

Anyway, stay up to date and you should be safe, I usually report anything I find before I decide to have fun with it.

Although, of course, I'm not the only one writing exploits out there.

Archived

This topic is now archived and is closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.