To everyone running IPB,
There's a full path disclosure which can lead to leakage of some other information including IP addresses (of admin or visitor), SQL query information, database name, etc. This was reported to IPB now three weeks ago, and all they did was patch their own website and didn't bother to even respond to the email. It's patched on VPSBoard (informed MannDude a while back), and they (IPB/IPS) don't seem like fixing it in their software, so details are as follows:
File: cache/sql_error_latest.cgi
It can leak information like IP addresses of users, page details, and paths. it has the potentional to be more serious should anything sensative be revealed in your request at time of SQL failure (ie: sess_hash={token}), quick fix is to deny access to the file. It's not very important, and most sites I scanned don't have the file public visible, but it could potentionally lead to some issues (it's main function is for information gathering if anything).
Examples:
1. Error: 1146 - Table 'ipsCommunity4.ibf_cache_store' doesn't exist (IPS official website).
2. And other things like:
There's a full path disclosure which can lead to leakage of some other information including IP addresses (of admin or visitor), SQL query information, database name, etc. This was reported to IPB now three weeks ago, and all they did was patch their own website and didn't bother to even respond to the email. It's patched on VPSBoard (informed MannDude a while back), and they (IPB/IPS) don't seem like fixing it in their software, so details are as follows:
File: cache/sql_error_latest.cgi
It can leak information like IP addresses of users, page details, and paths. it has the potentional to be more serious should anything sensative be revealed in your request at time of SQL failure (ie: sess_hash={token}), quick fix is to deny access to the file. It's not very important, and most sites I scanned don't have the file public visible, but it could potentionally lead to some issues (it's main function is for information gathering if anything).
Examples:
1. Error: 1146 - Table 'ipsCommunity4.ibf_cache_store' doesn't exist (IPS official website).
2. And other things like:
Code:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Date: Sat, 27 Jun 2015 11:31:41 +0000
Error: 2013 - Lost connection to MySQL server during query
IP Address: 98.20.[redacted].[redacted] - /index.php?app=core&module=search&do=search&fromMainBar=1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
mySQL query error: SELECT p.pid, p.queued,t.approved, t.forum_id FROM posts p LEFT JOIN topics t ON ( p.topic_id=t.tid ) WHERE t.forum_id IN (19,53,5,4,10,14,26,35,30,31,32,33,34,36,37,38,12,13,27,39,8,47,29,24,25,45,49,18,16,17,54,23,146,50,9,46,104,107,93,102,94,95,97,96,98,99,100,73,106,74,75,85,77,103,92,66,86,72,68,71,67,70,69,55,111,109,113,58,60,61,76,62,78,63,65,64,80,101,89,90,81,82,83,84,91,112,126,129,130,131,132,133,134,144,141,142,143,145) AND p.queued=0 AND t.approved=1 AND t.topic_archive_status IN (0,3) AND MATCH( p.post ) AGAINST( 'bobo' IN BOOLEAN MODE ) AND t.state != 'link' ORDER BY post_date desc LIMIT 0,100
.--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------.
| File | Function | Line No. |
|----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------|
| fAcontent_bFf/applications/forums/extensions/search/engines/sql.php | [search_engine_forums]._buildWhereStatement | 173 |
'----------------------------------------------------------------------------+-------------------------------------------------------------------------------+-------------------'
