Jump to content

3.0.1 SQL Injection Exploit


Jimmy`

Recommended Posts

A little digging into someone who's been threatening my boards has lead me to this:
http://de.crypt.in/threads/50-IPB-3.0.1-SQL-Injection-Exploit
is it new or did the security update for 3.0.1 fix this?

Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.

Link to comment
Share on other sites


is it new or did the security update for 3.0.1 fix this?



Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.



Considering WHEN it was posted and the fact that it references v3.0.1, I would guess that it only applies to v3.0.1 and nothing after that. However, I'm not saying that it doesn't affect anything after 3.0.1, just that it's a guess. I recommend submitting a ticket in the client area with this link, so they can investigate it further.
Link to comment
Share on other sites


Sorry I couldn't post this anywhere else, my license ran out and I'm going to renew it once 3.1 is finished.






I recommend submitting a ticket in the client area with this link, so they can investigate it further.




He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.
Link to comment
Share on other sites


He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.



He can always email if nothing else is available :) (as I am not sure what parts if any of the Client Center are accessible to those without a active support contract, I've never let mine expire)

Ultimately, upgrading to the latest release is the sensible option too.
Link to comment
Share on other sites


He wouldn't have been able to submit a ticket, either, unless there's a type of ticket you can file without an active license.



You can open tickets without an active license, just can't send it to technical assistance. Email is always another alternative.
Link to comment
Share on other sites

If you have a security exploit, we'll gladly look at your ticket. ;) I don't think we'd ignore a security exploit report simply because you don't have an active license. We research these things even when reported from unlicensed users.

Link to comment
Share on other sites

Yeah I found the vulnerability report somewhere and decided to see if I could actually write a full blown exploit for it.

That one is particularly easy to use. :ph34r:

Anyway, stay up to date and you should be safe, I usually report anything I find before I decide to have fun with it.

Although, of course, I'm not the only one writing exploits out there.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...