IP.Board 3.3.x & 3.4.x – Messenger Directories Input Validation Failure Vulnerability
Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available.
Due to an input validation failure, it is possible for a malicious user to remove / add any message directory belonging to another user.
Vendor Contact Timeline:
2015-04-23: Vendor contacted via email.
2015-04-24: Vendor confirms vulnerability.
2015-05-01: Vendor issues patches.
2015-05-01: RACK911 Labs issues security advisory.
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119