 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 92
 Members: 0
 Total: 92
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
IPB <=2.3.5 sql injection widespread! |
|
 Posted: Wed Sep 17, 2008 11:46 am |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
I'm estimating, that ~ one third IPB based forums on Internet are right now (17. sept. 2008) affected by sql injection, found by darkfig.
This is easiest test, useable even for megan00bs:
http://www.***.com/forums/index.php?act=xmlout&do=check-display-name&name=%2527
If you see error message:
| Code: |
IPS Driver Error
There appears to be an error with the database.
You can try to refresh the page by clicking here
|
... then sql injection is possible and you can have admin's hash and salt within few minutes 
This situation is not lasting very long and patch will be spreading soon, so ...  |
|
|
|
|
| Posted: Wed Sep 17, 2008 12:59 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Time to pick a harvest. ))) |
|
|
|
|
| Posted: Sat Sep 20, 2008 8:59 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Oct 15, 2008 11:50 am |
|
|
| anthonis |
| Regular user |
 |
|
| Joined: Oct 15, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| if i get reply notfound from the link what i have to do ??? |
|
|
|
|
| Posted: Wed Oct 15, 2008 11:58 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Oct 15, 2008 12:08 pm |
|
|
| anthonis |
| Regular user |
|
|
| Joined: Oct 15, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Oct 15, 2008 3:34 pm |
|
|
| Cablekid |
| Advanced user |
|
|
| Joined: Jul 14, 2007 |
| Posts: 85 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Thu Oct 16, 2008 2:58 am |
|
|
| devildavid |
| Regular user |
|
|
| Joined: Oct 16, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
it means its patched already |
|
|
|
|
| Posted: Thu Oct 16, 2008 3:00 am |
|
|
| devildavid |
| Regular user |
|
|
| Joined: Oct 16, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
| pexli wrote: | http://www.waraxe.us/forum-52.html
Thread name
IPB <= 2.3.5 sql injection exploit (new version 1.2)
..on top of the page.  |
if its not patched how can i use the exploit? |
|
|
|
|
| Posted: Thu Oct 16, 2008 4:17 am |
|
|
| anthonis |
| Regular user |
|
|
| Joined: Oct 15, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
 is there any exploit if this one is patched ???  |
|
|
|
|
| Posted: Sun Oct 26, 2008 2:45 pm |
|
|
| erratico |
| Regular user |
|
|
| Joined: Oct 25, 2008 |
| Posts: 11 |
|
|
|
|
|
|
|
thanx
works excelent |
|
|
|
|
| Posted: Sun Oct 26, 2008 6:33 pm |
|
|
| mattoni |
| Active user |
|
|
| Joined: Oct 26, 2008 |
| Posts: 34 |
| Location: United Kingdom |
|
|
|
|
|
|
how can i use this? do i need a software?
could you explain please? |
|
|
|
|
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
