Full Version: If You Use Invision Power Board
If you run any version of IPB, there has been a new security hole discovered. The ssi.php file can be SQL injected remotely allowing a cracker to gain access to the passwords (kind of a backdoor into the admin cp). The ssi.php file is only needed if you are integrating with a website (kind of like an RSS feed) and has no effect to the rest of the board if removed or renamed. I have an online friend whose forum was taken down by a cracker and when he finally got the site back up (all of the admin/mod passwords had been changed), it was taken back down again very quickly. Through the process of elimination, they discovered the problem with the ssi.php file (incidentally, a while back, it was announced that there was a problem with the ssi.php file, but it was considered to be minor). Invision worked with the webmaster of the site and they do know about the problem, so probably either expect a new security patch on the horizon or just the advice to remove/rename the ssi.php file.
Looks like it does:
http://forums.invisionpower.com/index.php?showtopic=130344
and yes, I'm talking to myself again...
http://forums.invisionpower.com/index.php?showtopic=130344
and yes, I'm talking to myself again...
QUOTE
and yes, I'm talking to myself again...
No worries, we are used to it.
Whoops
QUOTE(Jikrantz @ Jun 26 2004, 06:36 AM)
QUOTE
and yes, I'm talking to myself again...
No worries, we are used to it.
Whoops
QUOTE(annie @ Jun 26 2004, 05:02 AM)
In talking to the guys who got hacked, they were running 1.3 final. They were told by invision that this patch would not have prevented the SQL injection. It's 2nd hand info, but if the file is not needed.......I renamed mine and moved it to a separate folder on the server.
I just dont use ipb but it's for different reasons. Guess I'm safe this time around. For me it's because I contribute to allot of gpl and os products and I dont care for their license.
Uh, good for you webmedic.
Anyway, this vulnerability is old. See the response by the IPB team in their forums.. includes a link to where to get an non-vulnerable SSI that was released back in February (the one annie referenced) if you have not fixed your own yet:
http://forums.invisionpower.com/index.php?showtopic=130344
Moving to security.
Anyway, this vulnerability is old. See the response by the IPB team in their forums.. includes a link to where to get an non-vulnerable SSI that was released back in February (the one annie referenced) if you have not fixed your own yet:
http://forums.invisionpower.com/index.php?showtopic=130344
Moving to security.
Oh it's not an issue with the product just the license. It's a morals thing. Sorry wasn't trying to say its a bad product.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.