IP.Board 2.3.6

[Trent]

How would someone hack this version of forums using BT3?

Thanks

[hm2075]

Easy, find the location of the server and then use this link

http://www.kershaw-knives.net/images...18-350x350.gif

[Trent]

Funny. Let me re-word myself.

Are there any exploits for that verison of forums that I could use to penetrate into the forums?

[williamc]

Google - Invision Power Board 2.3.6 exploit <search>

It appears version 2.3.5 is vulnerable, but not .6 (yet).

[Trent]

Google - Invision Power Board 2.3.6 exploit <search>

It appears version 2.3.5 is vulnerable, but not .6 (yet).

Thanks.

Let me know if you find any.

And if anyone else has any other ways to hack this version please let me know.

[lupin]

What Operating System is it running on?

[Trent]

How would someone hack this version of forums using BT3?

Thanks

Talk about grave digging

What ever the free versions of ip boards run on. I have no idea.

[lupin]

Talk about grave digging

What ever the free versions of ip boards run on. I have no idea.

Yes, you're right. This came up in my list of New Posts because some very classy new member posted an expletive laced post in here (which I deleted), but I didn't check the last posted date before throwing my own response in here.

Im guessing that you didnt have this installed on one of your own test systems then?

[Trent]

No, It is just a free forum account that I am admin on.
We have had to switch forums a few times due to script kiddies/brute force hackers getting into the admin panel.

I'd like to know how to prevent this ( Other than secure passwords)

[lupin]

No, It is just a free forum account that I am admin on.
We have had to switch forums a few times due to script kiddies/brute force hackers getting into the admin panel.

I'd like to know how to prevent this ( Other than secure passwords)

A few methods:

• User lockout for x number of invalid password attempts (although this can create a DOS opportunity for attackers)
• Multi factor authentication, or use of something like a CAPTCHA to defeat automated guessing (although it may not be suitable or possible in this case as your software must support it)
• Banning of access to IP addresses that appear to be brute forcing you (although there are ways around this for attackers)
• Use the latest version of the software

Good secure passwords are probably your best bet though.

Actual exploits may allow an attacker to do more than just get admin access to the forum though, it may allow them to get access to the underlying OS which could allow them to do a lot more damage. There's other methods to minimise the impact of this, but most require administrative access to the underlying OS.