Board needs updated

M

mutta

New member
just wanted to suggest a update of the board it is very vulnerable to exploits and is a big forum to have someone screw up in a few secs other than that looks good

the way ppl are defacing these boards your webmaster may not want to waste any time as ppl search for these boards using google to own ;)

 
Guys,

Just to give some nsight on this situation.

Mutta was kind enough to give us a heads up about our vulnerabilities. His post originated in the Feedback forum, and I moved it here. Check my PM discussion with him....

Hey,

Thanks for the suggestion. I moved your post b/c I dont want to give anyone any ideas.  Can you please elaborate on the vulnerabilty and how to go about patching it?

I appreciate your assistance.

Chad

the vulnerability is actually due to version of board it is a sql injection that gets the pw hash to any member as it is stored in your sql tbls and then w/ a simple edit of there cookie swapping there pw for the admin's refreshing page they will have admin access ....the only reason I would be concerned is the size of the board it would be something a script kiddie would post as a trophy on some of the sites I am on and they are searching them daily by Google search for "Powered by Invision Power Board(U) v1.2" or a similar older version so in the short term maybe edit your footer and remove that line at least them your page wont be returned in a similar search but uodate of version to 2.0.4
Click to expand...
Since this is a free version of IB Im unable to remove the tag, and also cant upgrade until I purchse the license. I asked him if he knew of any patches we could use in the meantime, but he hasnt responded yet. I take that as an "I dont know", and Im sure he doesnt have the time to do the research to figure it out for us - he was good enough to bring it to our attention.

Needless to say this is of utmost urgency. Im going to make an attempt to coordinate my cousin & his partner to help me make the upgrade this weekend, but in the meantime if anyone has some time and is compelled to do some research, there may be some info on their support board. http://forums.invisionpower.com/ I have a busy afternoon ahead of me, but will looking more into this tonight.

This also brings the question of "Vbulletin or Iboard" to the top of the Roundtable agenda - so I'm open for feedback on the direction we take here. Im willing to purchase the license for either of the 2.

 
I'll see what I can find later today - I'm a bit tied up now. However, I can confirm the problem. In fact, when we were having the HPH problem, and I was forcing myself to read their drivel, there was an entire thread about this being done on another board - Texas' I believe.

I seriously doubt that there is a fix - it's a good reason to "push" an upgrade, but as I said, I'll look into that as well as which type we might want.

 
Damn. I figured it was a SQL injection of some sort. tisk tisk invision. That guy could have easily done a lot of damage there. Nice that he wasn't a d!(k.

I'll see what I can find when I get home from work in a bout 30

 
Last edited by a moderator:
There has to be a manual way we can clean the user input from the login script to eliminate the sql injection. I'll see if I can send a message a guy I know who might be able to lend a hand as well.

 
I have been browsing those boards for the past half hour or so. version 1.2 is so old that no one has any patches for it. I found some patchs for 1.3 though. Not sure if they apply to version 1.2 though. We could try I guess, just have a good backout plan.

It would be nice if we could solve this problem now, then the upgrade issue wouldn't be as pressing. However, we still need to upgrade because the more I read, the more I see that older version of Invision's boards are riddled with security issues. :(

1.3 patches

 
Last edited by a moderator:
I struck out, also - can't find a patch for this version.

Chad, do you have access to the source code? My guess, based on what Mutta stated, is that this is a Request.Query for the password. More than likely, it could be remedied with the use of the trim function in the query itself, but it would require access to the source code (a forelorn hope, I know, since this is a proprietary software package, but doesn't hurt to ask).

 
Usually you should have access to the php, so it should technically be possible.

Not sure if just a trim would do it because you have to be sure the user isn't entering any SQL. Length check plus maybe a check on certain characters might work.

It would be really nice if we had a step by step way to do the hack, then we could test against it.

 
Yeah, not to mention that we'd have to scour the code for every instance in which the password query occurs...

By the way, I favor the latest iterration of IBoard - it has all the features needed, including an ignore function (but I can't tell from the web site if that is something each user can set for other, individual users...although I can't imagine why it would be set up any other way).

Anyway, using IBoard again would make it far eaiser to migrate data, I would think...

 
Alright thanks for the input guys. Im gonna make a go at using the 1.3 patches dave linked to - and save an old copy of the files just in case all goes haywire.

But yes the key is testing to make sure the problem has been resolved, but I dont really know how to go about doing that - unless I were to ask Mutta..

I'll also make a push towards the upgrade - but not sure I'll get the support I need this wknd for the transfer.

 
Does the newer boards we are looking at include and RSS feed? I meant to ask this a while ago, but it slipped my mind.

 
That would be great for me, not sure of everyone else. Make it easier to keep up with the board while I am "working". :)

 
Back
Top