comment on

Earlier today I had someone exploit a security hole in the help.cgi script that is distributed with Ikonboard. If called properly, the help.cgi will return the member files of any member, where of course, passwords are stored in plain text. All the users needs in the name of an admin (which can be eaisly obtained from the main page) to gain the admin's password. Once the user has the Admin's password, he can login to the admin center with full access and wreak havoc on your board. Here is the patch I propose untill the Ikonboard team (which has recently vanished) has a chance to provide an official patch:

if ($inhelpon =~ /members/) {
    die "HACKING ATTEMPT LOGGED $ENV{'REMOTE_ADDR'}";
}
[download]

Yes it's primitive and no it doesn't actually log the attempt, but it should protect your board from this exploit. This code should be placed on line 51 of help.cgi (right after the $inhelpon = &cleaninput($inhelpon); line).

In reply to MAJOR BUG in Ikonboard v2.1.7b by Keef

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.