snapper Posted June 26, 2004 Posted June 26, 2004 If you run any version of IPB, there has been a new security hole discovered. The ssi.php file can be SQL injected remotely allowing a cracker to gain access to the passwords (kind of a backdoor into the admin cp). The ssi.php file is only needed if you are integrating with a website (kind of like an RSS feed) and has no effect to the rest of the board if removed or renamed. I have an online friend whose forum was taken down by a cracker and when he finally got the site back up (all of the admin/mod passwords had been changed), it was taken back down again very quickly. Through the process of elimination, they discovered the problem with the ssi.php file (incidentally, a while back, it was announced that there was a problem with the ssi.php file, but it was considered to be minor). Invision worked with the webmaster of the site and they do know about the problem, so probably either expect a new security patch on the horizon or just the advice to remove/rename the ssi.php file. Quote
annie Posted June 26, 2004 Posted June 26, 2004 Would this fix it? http://forums.invisionpower.com/index.php?showtopic=114715 Quote
annie Posted June 26, 2004 Posted June 26, 2004 Looks like it does: http://forums.invisionpower.com/index.php?showtopic=130344 and yes, I'm talking to myself again... Quote
TCH-Thomas Posted June 26, 2004 Posted June 26, 2004 and yes, I'm talking to myself again... No worries, we are used to it. Whoops Quote
Bunni Posted June 26, 2004 Posted June 26, 2004 and yes, I'm talking to myself again... No worries, we are used to it. Whoops Quote
snapper Posted June 27, 2004 Author Posted June 27, 2004 Would this fix it? http://forums.invisionpower.com/index.php?showtopic=114715 In talking to the guys who got hacked, they were running 1.3 final. They were told by invision that this patch would not have prevented the SQL injection. It's 2nd hand info, but if the file is not needed.......I renamed mine and moved it to a separate folder on the server. Quote
webmedic Posted June 27, 2004 Posted June 27, 2004 I just dont use ipb but it's for different reasons. Guess I'm safe this time around. For me it's because I contribute to allot of gpl and os products and I dont care for their license. Quote
MikeJ Posted June 27, 2004 Posted June 27, 2004 (edited) Uh, good for you webmedic. Anyway, this vulnerability is old. See the response by the IPB team in their forums.. includes a link to where to get an non-vulnerable SSI that was released back in February (the one annie referenced) if you have not fixed your own yet: http://forums.invisionpower.com/index.php?showtopic=130344 Moving to security. Edited June 27, 2004 by TCH-MikeJ Quote
webmedic Posted June 27, 2004 Posted June 27, 2004 Oh it's not an issue with the product just the license. It's a morals thing. Sorry wasn't trying to say its a bad product. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.