More Invision Power Board Vulnerabilities

Six Apart’s free support bulletin board for Movable Type has been offline for maintenance since this past weekend. I just saw why on Bugtraq. Looks like there is another SQL injection exploit in Invision Power Board that will grant an attacker admin access. This is a vulnerability in versions prior to 2.1.7. Hopefully they’ll get patched and back online soon.
Back in May, I wrote when that forum was exploited and modified to serve up WMF exploits. At that time I let the SANS ISC know about it. So it was pretty funny in June when a Circuit City IPB forum was hacked and it made the tech news. According to MSN search there are still a lot of boards running Invision Power Board 2.1.6. A lot of them are hobby websites that likely learn the hard way about keeping up with security patches.