mailing list archives
Invision Power Board 2.1.7 debug mode vulnerability
From: Rapigator <rapigator () yahoo com>
Date: Tue, 31 Oct 2006 23:48:40 -0800 (PST)
Debug mode is a feature in IPB 2.0.0-2.1.7 that shows
all database queries for each forum page requested.
If Debug mode is turned on, it is possible for anyone
to request a forgotten password for an account, and
capture the validation key that is sent to the
account's email address. This allows an attacker to
change anyone's password without having access to the
Through debug mode, it is also possible to bypass
captcha protection used to block bot actions(such as
automated registration), and table names can also be
Debug mode is turned off by default, yet there are no
security warnings regarding this feature. It is best
to keep it off at all times.
Everyone is raving about the all-new Yahoo! Mail
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Invision Power Board 2.1.7 debug mode vulnerability Rapigator (Nov 01)