Jump to content


Welcome to DevFuse Forums


Sign In  Log in with Facebook

Create Account
Welcome to DevFuse Forums, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of DevFuse Forums by signing in or creating an account.
  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members.
 
Guest Message by DevFuse

(View All Products)Featured Products

  • Donations


    Help fund your forum with donations, setup goals and track member donations. Offer rewards for members donating.
  • Timeslips


    Have your members submit their race times and share with others.
  • Videos


    Allows your members to submit their own videos for community viewing. Support is included for all the major video sites.
  • Forms


    Build your own forms for your members without coding experience. Support included for pm, email and topics.
  • Collections


    Build a community database of items for your members. Full features custom fields included.

Photo

IP.Board 2.0.0 to 2.1.7 Security Notice


  • Please log in to reply
No replies to this topic

#1 Michael

Michael

    Management

  • Management
  • 3,524 posts
  • Gender:Male
  • IP.Board Version:IPB 3.4.x

Posted 01 November 2006 - 12:23 PM

All versions of IP.Board since 2.0.0 through 2.1.7 contain an SQL Debug tool which allows board administrators to view the database queries the software is performing. This is useful in diagnosing problems or learning how a specific area of the software transacts its database functions.

While the SQL Debug tool is very useful, leaving it enabled when not in use poses a significant security risk. By design, the tool displays all data passing between our software and your database and therefore a malicious user could view potentially sensitive data and use that data to gain unauthorized access.

It is important the SQL Debug tool is disabled when not in use. To disable the SQL Debug tool go to your Admin CP, then Tools and Settings, and General Configuration. You will find an option called Enable SQL Debug Mode. Verify this is set to No. Also, verify Debug Level is set to 0 (zero) and save the settings on this page.

Note that the SQL Debug tool is not enabled in a standard installation by default. Unless you have specifically enabled it you do not have to worry about this issue though we still suggest you verify it is disabled.

The upcoming release of IP.Board 2.2.0 requires a change to a source file to enable IN_DEV mode in the software for the debug tool to operate. This change eliminates the possibility an administrator could accidentally enable debug mode. Other changes to the software also make this type of issue less of a problem.

Source: Click Here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users