Now I can't give you too many technical details on this because I don't know how it's done, but I heard this mentioned over an IRC channel and so I thought I should report this here. It's apparently an explot in the auto_login function of sources/login.php that is present in all versions, including 2.1. Here's some of the relevant info from the chat logs:

Fortunately, later in the chat he posted the fix, again, I can neither confirm nor deny this is valid, just relaying the info on to you:

The query in auto_login that gets exploited gets turned into something like this:

I removed the posters name because I don't want to make it seem like he's a bad guy. He never mentioned he would use this on anyone maliciously, but he did say he's not a licensed customer so he can't post it here. Please take a look at this and verify that there is actually an exploit here. Thanks!

I never did get how SQL injections were done...

The idea is that you add code into the URL and it gets sent to the source code as part of $ibforums->input. If this input is not properly cleaned, then malicious code can get added. This malicious code can then get sent into the SQL queries to run queries that they're not intended to do, like obtain password hashes in this example.

I know that, but I was once attacked by SQL injected and attempted to do many different ones - failing each time. I mean, I know what it is - but could never seem to successfully preform one on my test board...

If this is the exploit that I believe it is, then it's already been fixed as of v2.0.4

http://www.securiteam.com/exploits/5AP0G0KG0A.html

That looks like what you were describing, it also looks like the very exploit that was one of the reasons for v2.0.4 coming out.

Is it the same thing or one thats a little different? Also how do people find these things?

Next time you talk to your IRC friend, add in a thanks for telling about it so it could get fixed.

wasn't this the login.php fix when we moved from 2.0.3 to 2.0.4 i might be mistaken

Matt said this was fixed in IPB 2.04

I think you should have e-mailed this to Matt, instead of telling us all how to do it

Matt probably gets enough emails from people about non-critical issues, wouldn't want this to get lost in the shuffle. And this is a bug with IPB, so I think the Bug Reports forum is the exact right place to report it.

Maybe the customer forums would have been a better place .. (as non customers don't have view access)

This was fixed in IPB 2.0.4. The change was in the myget_cookie function functions.php ( now ipsclass.php)

Hmm, the guy who reported this said it was still exploitable in 2.1. But I trust your word on this!

I wrapped mine like so: (for 1.3 BTW)

$mid = mysql_escape_string(intval($std->my_getcookie('member_id')));
$pid = mysql_escape_string($std->my_getcookie('pass_hash'));

Is that sufficient?

fixed

Why do some people spend their time working out things like this?

Silly ScriptKiddies!™.

To stop other script kiddies from doing any damage

Did you really need to turn this topic into a discussion about scriptkiddies?

I think its rather sad that someone tries to help make everyones lives easier by fixing a security exploit and you have to say somthing negative.

Would you rather your board got hacked and there was no scriptkiddie around to help you fix it?

Remember, Matt was once what you might consider a "scriptkiddie".