Good Morning all,
It’s been a busy past month for me, but I did happen to find a new vulnerability that exists in IP.Board. IP.Board is basically a web application that allows you to run a forum, with the option to purchase additional functionality, like blogs, a store, etc.
While I was looking into how IP.Board works, and running some tests and scans against it, I’ve discovered a couple of vulnerabilities in the application. At the moment, it seems to largely be information disclosure and XSRF vulnerabilities, but I am in the process of seeing if it is capable of further development into something a little more dangerous.
I’ve already reported some of the vulnerabilities to the developers of IP.Board, and they said that a fix has been created for their next update. I’ll be sure to let you know once it is released if it fixes the issue. The other outstanding vulnerabilities I want to look into as much as I can to see if it can result in a dangerous attack. As I find out more information, and understand how it works, I will then be able to provide a better report to the developers of IP.Board (Invision Services) about the vulnerability.
I am also currently working to get a CVE number reserved for the issue for proper tracking of the vulnerability.