Jimmy` Posted April 30, 2010 Share Posted April 30, 2010 A little digging into someone who's been threatening my boards has lead me to this: http://de.crypt.in/threads/50-IPB-3.0.1-SQL-Injection-Exploit is it new or did the security update for 3.0.1 fix this? Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished. Link to comment Share on other sites More sharing options...
Wolfie Posted April 30, 2010 Share Posted April 30, 2010 is it new or did the security update for 3.0.1 fix this? Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished. Considering WHEN it was posted and the fact that it references v3.0.1, I would guess that it only applies to v3.0.1 and nothing after that. However, I'm not saying that it doesn't affect anything after 3.0.1, just that it's a guess. I recommend submitting a ticket in the client area with this link, so they can investigate it further. Link to comment Share on other sites More sharing options...
bfarber Posted April 30, 2010 Share Posted April 30, 2010 This issue was already patched. Upgrade to the latest version of IPB to protect yourself. Link to comment Share on other sites More sharing options...
PKIDelirium Posted May 2, 2010 Share Posted May 2, 2010 Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished. I recommend submitting a ticket in the client area with this link, so they can investigate it further. He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license. Link to comment Share on other sites More sharing options...
AndyF Posted May 2, 2010 Share Posted May 2, 2010 He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license. He can always email if nothing else is available :) (as I am not sure what parts if any of the Client Center are accessible to those without a active support contract, I've never let mine expire) Ultimately, upgrading to the latest release is the sensible option too. Link to comment Share on other sites More sharing options...
Wolfie Posted May 2, 2010 Share Posted May 2, 2010 He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license. You can open tickets without an active license, just can't send it to technical assistance. Email is always another alternative. Link to comment Share on other sites More sharing options...
bfarber Posted May 3, 2010 Share Posted May 3, 2010 If you have a security exploit, we'll gladly look at your ticket. ;) I don't think we'd ignore a security exploit report simply because you don't have an active license. We research these things even when reported from unlicensed users. Link to comment Share on other sites More sharing options...
Cryptovirus Posted May 3, 2010 Share Posted May 3, 2010 Yeah I found the vulnerability report somewhere and decided to see if I could actually write a full blown exploit for it. That one is particularly easy to use. :ph34r: Anyway, stay up to date and you should be safe, I usually report anything I find before I decide to have fun with it. Although, of course, I'm not the only one writing exploits out there. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.