Bugtraq mailing list archives
Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final.
From: "JvdR" <thewarlock () home nl>
Date: Thu, 10 Jun 2004 02:12:11 +0200
Dear Mike, The CSS vulnerabilities are based on previous versions of IPB, the vendor did not feel to fix them with update 1.3 > 1.3.1 final. see http://securityfocus.com/bid/9768 Multiple SQL Injection Vulnerabilities were already found in IPB, http://securityfocus.com/bid/7290 http://securityfocus.com/bid/9232 The problem that the vendor did fix was a vulnerability in the calendar. http://securityfocus.com/bid/9353 In history IPB was more than once vulnerable to SQL injections of the same type, so there is no reason to provide them with old information. An other reason is that those kinds of vulns. are common, old news.... a query in google results in 100.000 full instructions to exploit them, for ISP's it's quite easy to block these requests and minimize the risks.
Mike Healan wrote: Where is the vendor response to this? From what I can see at their support site, they've never heard of these two problems. Let me guess, you never bothered to contact them and instead elected to publicize full instructions to exploit software in use at over 100,000 web sites?
BR, Jan van de Rijt. ---> http://members.home.nl/thewarlock
Current thread:
- Multiple Vulnerabilities in Invision Power Board v1.3.1 Final. JvdR (Jun 09)
- Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final. Mike Healan (Jun 10)
- Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final. JvdR (Jun 10)
- <Possible follow-ups>
- Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final. Hillel Himovich (Jun 11)
- Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final. Mike Healan (Jun 10)