Posted by MutantMonkey, July 27, 2008 @ 5:48 PM Security Update
On July 26, 2008, I was informed of one SQL injection security hole. An exploit was also published at this time.

Affects: 1.0-rc9.2 and below (The development version of 2.0 also has this flaw but no fix is available at the present time.)
Severity: Critical / EXPLOIT AVAILABLE

Details:
A flaw in modules/members.php in combination with a flaw in includes/functions.php allows an attacker to inject SQL into an SQL statement. SQL injection can allow for password hashes (not actual passwords) to be stolen and other security breaches to occur. This flaw is caused by a very similar problem to our previous security fixes; we are working on rewriting any other possible vulnerable areas of code, even though we are not aware of any other files that are affected at this time.

How to patch:
The best way to patch this is to download a copy of IceBB 1.0-rc9.3 from SourceForge.net. This release contains only this fix with no other bug fixes or features. If you download this release, you will not need to apply any previous patches. You do not need to run the upgrade script as no database changes have been made, just replace your files.

If you do not wish to upgrade at the current time, you may download the patched members.php and replace your modules/members.php with it. Note that you must also apply the previous security fixes if you have not done so already.
[ Attachment: members.php ]