Potential SQL injection risk sparks prompt reaction

Nov 10, 2014 11:50 GMT  ·  By

Two patches have been released over the weekend for popular web forum software IP.Board, as a result of reports on Sunday of possible exploits.

As soon as the development team was alerted of malicious action being possible through components of the software, an announcement was issued with a temporary solution that would mitigate the risk until a permanent patch was created.

This consisted in deleting the “interface/ipsconnect/ipsconnect.php,” which disabled the IPS Connect service that allows multiple sites to share one log-in pair.

The patch came later on Sunday and was available for both the 3.3.x and the 3.4.x versions of the forum software.

Vulnerabilities quickly receive fix

According to a post from the developers, the updates are designed to eliminate the possibility of a potential SQL injection vulnerability under certain PHP configurations.

Matt Mecham, one of the creators of IP.Board, said on the forum that an attacker should have sufficient information about the configuration of the software; this means that SQL injection could be leveraged in targeted attacks.

Apart from this prerequisite, Mecham said that some files need to be web readable for the attack to work. However, despite the low risk presented by the flaw, the developer asserted that the release of an update felt an important thing to do.

The second security flaw the IP.Board developers had to deal with over the weekend presents a more immediate risk. It consists in the possibility to send attachments via email classes which would regularly be removed.

Both glitches have been eliminated by the new patches for the two versions of the forum software.

Users are recommended to apply the updates by uploading them to the forum server. There is no need to run scripts or resort to the upgrade system.

Build 3.4.7 includes the patches

Mecham says that any party using the Cloud infrastructure with IP.Board 3.3 or above received the update automatically. However, in the case of an older version, customers should contact the support department for the upgrade procedure.

The newest version for IP.Board is 3.4.7, which was rolled out in mid-October as a maintenance release. At the moment, this release includes the fixes for the two reported weaknesses and upgrading to it eliminates the need to apply the patches.

In a forum post from Charles Warner, the other creator of IP.Board, it is revealed that the next major upgrade would be to build 4.0, slated for release in 2014, which would bring modern functionality and looks.

IP.Board Images (4 Images)

Control panel for IP.Board
Plugin manager section in IP.Board forum softwareForum managing component
+1more