This InvisionBoard stuff - Page 2

**Edmunds** · #12 (**permalink**) 11-24-2004, 02:39 PM

It's a common exploit. This is why $_GET data should rarely be used for queries.

There's 2 problems
1. Remember that this is invision free and they most likely have that bug fixxxed
2. This works with MySQL 4.0+

Rael · #13 (**permalink**) 11-24-2004, 02:44 PM

Right. We'll have to keep searching for ways around that, then. I was hoping InvisionFree wouldn't have fixxxed it; I guess they've outsmarted us this once

**Edmunds** · #14 (**permalink**) 11-24-2004, 02:47 PM

Seeing how it says Invision Board has already released an official patch, I think most IB users have fixxxed it by now.

Rael · #15 (**permalink**) 11-24-2004, 02:50 PM

Probably.

What we really need to do is find an exploit no one knows about. I was hoping you'd look at the source and see if you could work something out, like that cookie replace you used on GE.

imp:

Rael · #16 (**permalink**) 11-26-2004, 02:10 AM

Now that I've been thinking of it, a lot of OD members are here. What are the odds that they're using the same passwords on OD and here? Rather high, since they're not very bright. We only have their encrypted passwords, but that's probably enough to hack into their accounts and get a glance at their staff forums.

If no one's tried it by the time I get back on Saturday, I'll do it myself.

imp: