Hola, Invision Power Services have continued to show their amazing support and understanding for the security community by release two patches for their 'Invision Power Board' product (now one of the most widely used 'Board' programs around). Without sending out any security mailing list announcements. The first patch is available here: http://forums.invisionpower.com/index.php?act=ST&f=1&t=51540 Apparently it effects you if your PHP installation is running with register_globals set to on. There is no information as to where the problem lies, or the scope of the problem. Or the impact. Additionally they thank people for not reporting the issue to "help" sites like bugtraq, which is another quality show of support for the security industry. I guess they don't like disclosure. Second patch is here: http://forums.invisionpower.com/index.php?act=ST&f=1&t=55976 Again, no information what so ever. No scope. No impact. Infact "Obviously I'm not going to go into detail to protect your boards, but the security update is very easy to apply.". That's fine, then! Interesting fact about both updates: * they don't increase the version number of Invision Board * they've both been integrated into the existing version of the software installer * this means the only way to know if you are patch is by date of when you installed. Do you remember? * No MD5sums for either patch. The 2nd patch I have investigated. The update file is functions.php. Line 577 is commented out; //$ibforums->input['skinid'] = intval($ibforums->input['skinid']); Line 601 $id = $ibforums->input['skinid']; Changes to; $id = intval($ibforums->input['skinid']); The vuln appears to be the fact that the skinid wasn't being converted to an integer (it is one normally), and as such I *think* you can inject SQL code, reading the source. Invision Power Services - PLEASE - read bugtraq. Find out how vulns are disclosed, how the impact and severity is descibed to customers. Seriously. If Microsoft at least make an attempt at it, that's saying something. It's like the company tries to secure there customers software by hoping nobody finds out vulns. It's a PHP program. Of course they do. They get misused. The customers get peeved. Set up a security mailing list for your customers to subscribe to. Email bugtraq, and the other security mailing lists when a problem is found, briefly describing the problem and it's potential impact. Distribute security updates with MD5sums so we know they can be trusted. Give us a way to know if *OUR* boards are patched. Include an Internal version number in the Admin Control Panel for the product so the admins can check. Regards, Gossi.
This archive was generated by hypermail 2b30 : Sat Apr 05 2003 - 11:31:51 PST