Yes, I didn't think that IPB was perfect and that something like this would be found.
I've been watching a thread in particular on the IPS Customer forum in which quite a few boards have been cracked, where a user has gained the username and password for an administrator account, and we all know what happens then. Althouh it seems that Matt Mecham is working furiously on the problem, I'm sure the last thing anyone wants is for this to end up like GSR. :o
The link to the article can be found here.
The security flaw doesn't invlove "SQL injection" (obtaining unauthorized access to the database) or any type of hack outside the forum environment. What happens is that, via a post, a user can exploit a minor bug in the BBCode script in order to enter a malicious javascript that sends a user's cookie data to the potential intruder. Using this information, all the intruder needs to do is decrypt the password and all hell breaks loose.
There isn't any fix or solution so far, so the only way that this can be somewhat toned down is by:
1. Making sure all your admins (in this case Max, AvaneR, and Nick) have strong passwords
2. I'm not sure if this will actually work, but for every BBCode tag that has an option, ([ quote=blah ], etc...) try censoring it so that a square bracket can't be used to start an option in a tag. (The potential intruder may be able to work around this, too by adding something before the square bracket, so it may not be possible in this way.)
Page 1 of 1
- You cannot start a new topic
-
This topic is locked
Major Ipb Security Flaw Found
#1
- Chaos Lord
-
- Group: Members
- Posts: 856
- Joined: 17-October 04
- Gender:Male
- Location:Vancouver, BC, Canada
Posted 08 April 2005 - 12:34 PM
#2
- Chaos Lord
-
- Group: Members
- Posts: 653
- Joined: 11-March 05
- Gender:Male
Posted 08 April 2005 - 02:07 PM
That is just bad-sounding... but does the tag have to do with entering HTML with the tag? If it does, I believe there is a way to turn it off in the administrator control panel. I cannot imagine what would happen to the site news, GSW, and everything else on the forum if this happens.
#3
- Chaos Lord
-
- Group: Members
- Posts: 856
- Joined: 17-October 04
- Gender:Male
- Location:Vancouver, BC, Canada
Posted 08 April 2005 - 05:37 PM
From what I've heard, it doesn't matter whether or not doHTML is disabled.
#4
- Disciple
-
- Group: Members
- Posts: 2,064
- Joined: 11-February 04
- Gender:Male
- Location:Atlanta, GA, USA
- Interests:Computers and anything science-related
-
AKA Gimli the Great
Posted 08 April 2005 - 06:42 PM
OMG....this is BAD! Do you know when theres ganna be a security update for this? I hope Max installs it when it comes out. I hope BBCode isnt disabled though...
#5
- Master Adept
-
- Group: Admin
- Posts: 2,521
- Joined: 15-February 04
- Gender:Male
- Location:Toronto, Ontario
Posted 08 April 2005 - 09:27 PM
Thank you for your concern. I'm sure Max is aware of all security threats as they are found.
And I can assure you my password is very difficult to break.
[Topic Closed]
And I can assure you my password is very difficult to break.
[Topic Closed]
Page 1 of 1
- You cannot start a new topic
-
This topic is locked
