PC-Intern.com Web

Tools

print-document print-document

Partner & Tipps

IT-Academy - The Information Community
formativ.net Premium Hosting Service
section.at - Nachrichten
Blogverzeichnis - Blog Verzeichnis bloggerei.de

Stats

1782 Themen und 83627 Antworten.

JSpartz ist das neueste von 930 Mitgliedern.

Online

Es sind derzeit 152 Besucher, davon 142 Gäste und 1 Mitglieder online.

kinderschoki, Jule, Nori, maybe, Liz, Texter, sporty, pussycore, LionX, LittleLu

Rekord

Am Monday, 31. Dec. 07 waren 930 Besucher gleichzeitig online.

Site-Info

PC-Intern.com is running on straightCMS of straightvisions.com

Visit the PC-Intern.com Community on projects.pc-intern.com

New IPBWI Release (1.7.2.1.1)News

Important security hole in groups live-example

New IPBWI Release (1.7.2.1.1)



Attention!
There is a security-hole in groups live-example (/examples/groups.php). This hole allows an attacker to change group without having any permissions, so someone can join admingroup including access to adminpannel of your forum.

If you are using code from group-change live example, an immediate update is totally recommened.
Big thx to IPBWI-User Cortex, who checked and found this security issue in my code.

Download fixed version 1.7.2.1.1 now!Background Info
It's a very stupid security-failure and everyone should use this as an example for bad code. Always remember and check: Never trust datas from webusers, including GET and POST vars. There are different strategies to prevent code- and data-injections, like blacklists and regular expressions, but the best and safe way is using whitelists, so only allowed options/datas will be accepted.

If you are interested in comparing the bad code and the (now) safety code: From the official download page you are able to download the actual and all older versions. Comparing /examples/groups.php from IPBWI v1.7.2.1.1 and v1.7.2.1 helps you to understand the differences and dangers of the old code.

I do not think that I did any bugs like this stupid one, too, but I am very happy about any hints and checks like this from any user of IPBWI. It's kind of contribution to this project, too: check the code you use. Cortex did so and got fast response. Security has high priority on IPBWI, more than including new features. So use the benefit of open source software and try to check it as far as your experience allows it. If you are unsure, just PM me or post in official IPBWI Support forum (shouldn't be used for high-prio/max damage bugs/security holes). Anyone who has advanced coding skills is invited to join the developer forums of IPBWI. Just PM me for getting access.

Infected files
/examples/groups.php (security hole fixed)
/ipbwi/ipbsdk_class.inc.php (version count)
User Info TXT-Version reply
Thursday, 01. November 2007 @ 22:25:12 | 2042 Zeichen | 0 Antworten

Antwort hinzufügen

Dein Name:

editor-maximize editor-minimize mark manage-attachments clear-textarea process-stop

Smileys deaktivieren?

Spam Protection

Code Bit

Sie sind nicht eingeloggt.

Click Here to Show / Hide the Sidebar

Home

Artikel

Projekte

Multimedia

Hosting / DSL

Kontakt

News

Weblog

Netgrabs

Webtipps

Downloads