Concerning The Recent Invision power Board Issues
Hi all,
As you have seen there have been a good number of IPB issues posted lately
to BugTraq, Everything from cross site scripting to path disclosure to sql
issues. The sql issues in search have been fixed as seen here.
http://forums.invisionpower.com/index.php?act=ST&f=&t=116163
I have found the same issue in two other places also that have not been
fixed. One is memberlist.php and the other is online.php You can read about
those at my website if you would like details.
http://www.gulftech.org/03022004.php
These issues, and also the search issue allow for injection into the query
AFTER the LIMIT statement which makes it unlikely to be able to be
exploited, but I believe they should still be patched as soon as possible.
Also the large amount of cross site scripting issues lately and there has
been no fix released to my knowledge. This has all been somewhat frustrating
to me so I contacted the guys at Invision and here is what they had to say.
----------------------------------------
Hello,
Thanks for the email.
All outstanding non-critical reports will be dealt with in the next
release. The discussion on the forum password plaintext vulnberability
is a little moot as it's documented as a 'quick fix' forum permission
and shouldn't be used in place of forum permissions. In any case, this
may well be resolved by using an MD5 hash in the cookie.
Regards
Matthew Mecham
Invision Power Board Lead Developer
Invision Power Services, Inc. CEO
----------------------------------------
Invision have always to my knowledge been prompt in the past about
addressing any and all issues, but lately it has been unbelievable. I think
that most of the popular forum projects such as phpBB would have even the
smallest issues addressed within a week or so once they were made aware of
the problems. Anyway, the main purpose of this email was to let any IPB
webmasters/admins/users know that the devel team has been contacted, but
will probably not be releasing fixes until the next release :-\ If you feel
they should address these issues sooner please take a moment to contact them
at info@xxxxxxxxxxxxxxxxx and let them know that you take security seriously
and believe even the smallest issues should be addressed promptly and
resolved quickly.
Best Regards,
JeiAr