Jump to content
InvisionCommunity.de - Der Deutsche Invision Community Support
Sign in to follow this  
IPBSupport News

[IPS] IP.Board 2.0.0 to 2.1.7 Security Notice

Recommended Posts

All versions of IP.Board since 2.0.0 through 2.1.7 contain an SQL Debug tool which allows board administrators to view the database queries the software is performing. This is useful in diagnosing problems or learning how a specific area of the software transacts its database functions.

While the SQL Debug tool is very useful, leaving it enabled when not in use poses a significant security risk. By design, the tool displays all data passing between our software and your database and therefore a malicious user could view potentially sensitive data and use that data to gain unauthorized access.

It is important the SQL Debug tool is disabled when not in use. To disable the SQL Debug tool go to your Admin CP, then Tools and Settings, and General Configuration. You will find an option called Enable SQL Debug Mode. Verify this is set to No. Also, verify Debug Level is set to 0 (zero) and save the settings on this page.

Note that the SQL Debug tool is not enabled in a standard installation by default. Unless you have specifically enabled it you do not have to worry about this issue though we still suggest you verify it is disabled.

The upcoming release of IP.Board 2.2.0 requires a change to a source file to enable IN_DEV mode in the software for the debug tool to operate. This change eliminates the possibility an administrator could accidentally enable debug mode. Other changes to the software also make this type of issue less of a problem.

Quelle: http://forums.invisionpower.com/index.php?showtopic=229129

Share this post


Link to post
Sign in to follow this  

×