Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SQL Injection Vulnerability Patched in IP.Board Forum Software

Invision Power Services (IPS) has released patches to address an SQL injection vulnerability affecting versions 3.3.x and 3.4.x of the popular online forum software IP.Board.

Invision Power Services (IPS) has released patches to address an SQL injection vulnerability affecting versions 3.3.x and 3.4.x of the popular online forum software IP.Board.

IPS learned of the existence of an exploit for the vulnerability on Sunday when it published a post advising users to disable the IPS Connect service, which allows multiple sites to share one login, by deleting the “interface/ipsconnect/ipsconnect.php” file from their installations.

“Most clients will not need this service but if you do use it then we still suggest you temporarily disable until a fix is released tomorrow,” IPS said.

Patches and additional details on the SQL injection vulnerability were released a few hours later. According to developers, SQL injection attacks are possible on certain PHP configurations.

“Although this exploit requires some knowledge of your configuration and for certain files to be web-readable, we felt it important to release an update,” IPS explained.

An exploit written in Python was published on several websites on Sunday. According to the author of the exploit, the error-based blind SQL injection flaw affects IP.Board version 3.4.7 and earlier.

One of the administrators of the vpsBoard forum claims IPS only learned of the existence of the exploit after he notified them. A vpsBoard member said he successfully tested the exploit on his own website by knowing only the URL.

“I ran the exploit against my IPB and it injected SQL just fine – no ‘knowledge’ was needed other than the URL,” the user with the online moniker raindog308 said.

Advertisement. Scroll to continue reading.

IP.Board developers have also learned “that it may be possible to send attachments via the email classes which would ordinarily be removed.” A fix for this issue, reported privately to IPS by Andrew Erb, is also included in the patches.

The patches are automatically applied for IPS Community in the Cloud customers running IP.Board 3.3 or above. Users who have installed or upgraded their installations to version 3.4.7 after the patches were released don’t need to take any action since the main download files have been updated.

This year, IPS released a total of four security updates to address cross-site scripting (XSS), file inclusion and other vulnerabilities found in IP.Board.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.