IP.Board 3.3.x & 3.4.x – Messenger Directories Input Validation Failure Vulnerability

May 1, 2015 - by RACK911 Labs

Product Description:

Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available.

Vulnerability Discussion:

Due to an input validation failure, it is possible for a malicious user to remove / add any message directory belonging to another user.

Vendor Contact Timeline:

2015-04-23: Vendor contacted via email.
2015-04-24: Vendor confirms vulnerability.
2015-05-01: Vendor issues patches.
2015-05-01: RACK911 Labs issues security advisory.

About Us:

https://www.RACK911Labs.com

RACK911 Labs
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119

1-855-RACK911

References:

https://invisioncommunity.com/news/product-updates/9729-ipboard-33x-34x-security-update/