Security, 53cu417y, security

Good to hear matt (well not the hacking part :P). It is said today that we make 1 mistake and it makes our lives hell.

I reckon i spend way more time than i probally really should, making sure there are no security risks and my projects are only half the size of ipb.

anyway keep up goodwork, i have always viewed ipb as the most secure bb out there.

I hope that you also consider to implement such procedures into the numerous other invision power products.

One thing about hackers is they are persistant buggers…. Can’t help themselves at all…

I’m very relieved to hear that there has been changes in the IPB 2.2.0 codebase at the very core to stop the recent types of attacks, and really tighten security.

In addition to that, and the security audit for 2.2 it should make for a much more solid product
Yes, I agree with Michael. Hopefully you implement this in all other IPS products.

Looking forward to hearing more. I trust you guys will get things right.

$query = str_replace( “UNION”, “Onion”, $query); ?

Tim’s comment made me laugh, a lot.

Seeing how much IPB has been hammered over the last few weeks, I’d like to say thanks for the speediness of the security upgrades, it must be very frustrating for you.

In IPS I trust.

The problem with giving you a chance to fix it before public announcement is that these people would not then be able to make themselves a ‘name’. The good coder make their name from coding not cracking, these people generally can’t do it so they break it.

Of course, and as you mention, it is still your problem to make your product secure. But as you say one simple mistake and blammo. Oh well .. off the soapbox all I will do is fall off on top of yah

That’s good that the exploits have been stopped. Hopefully this will stop hackers.

You guys are monitoring queries that are passing through the database class before they’re ran to check their query structure? That’s what I would do to prevent any kind of mishap.

You could probably make a topic at BEYOND for security ideas to get into 3.0.0 (or 2.2). At this time I can’t think of any, and I can think of somethings in a instant . . .

We’ve switched off union joins using a constant in the DB class.

Of course, this can be overriden by using $DB->allow_sub_queries = 1 before the query is formed and executed.

Currently, all of our products don’t take advantage of UNION SELECT or SELECT * FROM table WHERE (SELECT…) so it seems safer to switch them off.

The per query switch will then allow them to be used in a much more controlled manner.

Other IPB 2.2.0 features include: ability to change the location of the “admin” directory, ability to .htaccess password protect the “admin” directory, ability to write .htaccess “deny all” PHP/CGI/shtml/phtml files in all non PHP IPB folders to prevent PHP files executing and some other stuff to generally make life harder for hackers.

Now I see why you have been so busy lately. It is quite good to hear that you things are more secure.

I understand that the new IPB products(IPD,IPC, IPN) will all be encoded. Are you also going to encode some of IPB2.2?

I remember I got UNION SELECT on my forums earler this month. Since I upgrade to 2.17 Patch and I have block Union Select I never saw them again. Securty Patches always helps. Now I can’t wait see bunch of new features in IPB 2.2!

I’ve been camping out at a hacking forum recently, and it really would be comical were it not to cause so many problems for so many people.

It’s just a group of kids, who lack basic literacy skills, following tutorials to run exploits found by people who actually know what they’re doing. They take down a forum or site, make a topic, and all the other kids slap them on the back and say good job. One of the tutorials on the site was “how to download and install Firefox”. No joke. That’s who webmasters are having to deal with.

It scares me that these kids are the future.

I look forward to IPB 2.2 Matt. You guys at IPB do a great job!

Well I’m proud to say i’m not one of them (although, I hope you’ve figured that by now).

I’m a member of a warez site and i’ve been browsing around it, waiting till some IPB thing is posted when i’ll report it to PIS.

IPB is an excellent software.
Good job.

I think you’re being a bit naive saying “I don’t want to say too much other than every single exploit type that IPB has suffered with recently will no longer be
possible.” It’s pretty easy to stop SQL injection with some sensible DB abstraction, but as far as stopping the XSS attacks, good luck. There will always be some leaking through

Sure - but with the new IPB 2.2 stronghold cookie, actually having the cookie information may not be enough to automatically log in as the member.

“It scares me that these kids are the future.” -Rikki

Whoaa, not all kids that are ‘the future’ are hackers. Don’t bias that by just looking at one group. I’m definitely not a hacker.

Matt, I’d like to thank you for working so hard and fast to fix all of these recent holes, and making 2.2 a more secure product.

Matt, you have make a great Job with the IPB!” THANKS!!!!

Why Why must you TORMENT poor people who want to have a good site WHY? *falls down on the ground dead for some reason* O-o

@Kaito:
why they must talk stupid things ???

Stronghold cookies? What are they then?

/me is interested.

Thanks for such a great job you do with IPB, Matt, as a lot of us appreciate your hard work.

I predict: The IPB will develop into the most popular and most sought-after forum software worldwide!

It won’t be very popular unless the price goes down btw why make them pay for IPB i mean who came up with the idea for making them have to have licenses it’s just cheating people out of their money. I would rather have rocks thrown at me by little children and have eat dog crap then spend money on something that isn’t worth that ammount of money

What a nice, anonymous comment. I allways wonder what people like that’d say to my face if I sought them out and asked them to explain themselves.

Anyway, sounds like 2.2 will be a very nice upgrade. I’ll make sure to have a thorough look at the source
P.S. Please don’t close the source by distributing it as some precompiled crap. Bacause that’s what I read out of Myr’s comment. I’m using IPB just because I’m able to modify the source to my special needs. If I can’t do that anymore, I won’t be able to stay with IPB.

And also it makes spotting problems in the code somthing only you and your co-developers and code reviewers will be doing, not all your users.

Which is bad.

Hackers will allways be able to view the source anyway, because they want to and have time to disassemble it.

People who run IPB in production don’t, and won’t.

Hence you’ll be alone in trying to spot bugs, agains the same people that are hacking you now.

I personally think that we should have something like a security sounding board. We set up 1 IPB forum, on its own server, and we say to people “if you hack this and tell us how you did it, and we can fix it, you will get (for example) free IPB for 1 year”

Just my two cents

well throught ipb ive never had any issues any time when there was a bug it would be fixed with a security update asap so thanks for your dedication with ipb and i look forward to current and future releases

How about doing something really wild like allowing those of us with SSL connections to use them when logging into the admin section? Not that I don’t appreciate everything else you do, but man, that can’t be too hard - just change a couple of redirects or something…