| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 20 Mar 2004 10:45:49 -0600 From: "GulfTech Security" <security@...ftech.org> To: <bugtraq@...urityfocus.com> Subject: Concerning The Recent Invision power Board Issues Hi all, As you have seen there have been a good number of IPB issues posted lately to BugTraq, Everything from cross site scripting to path disclosure to sql issues. The sql issues in search have been fixed as seen here. http://forums.invisionpower.com/index.php?act=ST&f=&t=116163 I have found the same issue in two other places also that have not been fixed. One is memberlist.php and the other is online.php You can read about those at my website if you would like details. http://www.gulftech.org/03022004.php These issues, and also the search issue allow for injection into the query AFTER the LIMIT statement which makes it unlikely to be able to be exploited, but I believe they should still be patched as soon as possible. Also the large amount of cross site scripting issues lately and there has been no fix released to my knowledge. This has all been somewhat frustrating to me so I contacted the guys at Invision and here is what they had to say. ---------------------------------------- Hello, Thanks for the email. All outstanding non-critical reports will be dealt with in the next release. The discussion on the forum password plaintext vulnberability is a little moot as it's documented as a 'quick fix' forum permission and shouldn't be used in place of forum permissions. In any case, this may well be resolved by using an MD5 hash in the cookie. Regards Matthew Mecham Invision Power Board Lead Developer Invision Power Services, Inc. CEO ---------------------------------------- Invision have always to my knowledge been prompt in the past about addressing any and all issues, but lately it has been unbelievable. I think that most of the popular forum projects such as phpBB would have even the smallest issues addressed within a week or so once they were made aware of the problems. Anyway, the main purpose of this email was to let any IPB webmasters/admins/users know that the devel team has been contacted, but will probably not be releasing fixes until the next release :-\ If you feel they should address these issues sooner please take a moment to contact them at info@...isionpower.com and let them know that you take security seriously and believe even the smallest issues should be addressed promptly and resolved quickly. Best Regards, JeiAr
Powered by blists - more mailing lists