Jump to content

IPS Releases Updates to Community Suite

Guest IPS News

By Guest IPS News
in Feedback

Recommended Posts

wylie Newbie

wylie

Posted
Posted

Was hacked a few days ago...so thanks for keeping up with security issues.
If this includes the ACP notification of all security updates I will be a very happy camper!

Thanks guys.

  • Replies 182
  • Created
  • Last Reply
WilliamTM Apprentice

WilliamTM

Posted
Posted

Thanks, IPS. I took two minutes to update my board from 2.1.5 to 2.1.6. This is the first time I've ever updated IPB on my own, and it was very simple.

Same! I feel clever intelligent. ^_^

I have a question though, it asks me something to do with the skins? What the hell is that about? "Template updating" or something. :blink: :unsure:

Can someone explain? o:)
theclub Newbie

theclub

Posted
Posted

When l run /myforum/upgrade/index.php l get this error message ...

Warning: Unknown(/home/****/public_html/forums/upgrade/index.php): failed to open stream: Permission denied in Unknown on line 0

Warning: Unknown(/home/****/public_html/forums/upgrade/index.php): failed to open stream: Permission denied in Unknown on line 0

Warning: (null)(): Failed opening '/home/****/public_html/forums/upgrade/index.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0


:(

Alex Duggan Enthusiast

Alex Duggan

Posted
Posted

I was just about to upgrade my IPS Community Suite, but after reading this, I can barely believe my eyes:

http://www.ipsbeyond.com/forums/index.php?showtopic=6856

<_< .



What is that (topic linked above) all about?! :huh: An exploit for IP.Board 2.1.6 found?!



That's a vulnerability in a modification (A "reputation" mod) not in IPB 2.1.6 itself.

Would of course recommend anyone using this remove it immediately until any issues can be resolved by the modification author.
  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

What actual security exploits does 2.1.6 fix, though?



It corrects all the 2.1.5 fixes which include:

Potential SQL injection in the task system (limited to 32 characters)
Potential SQL injection in the topic multi-mod system (must have mod powers with topic delete permissions to work)
Potential SQL injection in the PM system
Potential eval of PHP code in the search system (very clever 'hack', forces preg_replace into 'e' mode).
TestingSomething Rising Star

TestingSomething

Posted
Posted

What I want to know is what idiots waste their lives figuring ways to hack forums to begin with. I don't ever think "wow that person was smart to figure that out". I think wow, what a pathetic idiot.

By the way, is 2.2 going to have any new actual forum "features" or just the new features not related to posting on the forum (such as converge)?

Oh and btw, since that topic mentions act=reputation... I justw ant to point out there is a second reputation system mod at Invisionize which isnt an official download, where someone upgraded a 2.0 version. I believe that uses act=.

.Jack Collaborator

.Jack

Posted
Posted

What I want to know is what idiots waste their lives figuring ways to hack forums to begin with. I don't ever think "wow that person was smart to figure that out". I think wow, what a pathetic idiot.



By the way, is 2.2 going to have any new actual forum "features" or just the new features not related to posting on the forum (such as converge)?



Oh and btw, since that topic mentions act=reputation... I justw ant to point out there is a second reputation system mod at Invisionize which isnt an official download, where someone upgraded a 2.0 version. I believe that uses act=.


Seems to me that you're the idiot.

Have you ever considered that there are people who look for ways to hack software like IPB so that they make IPS aware of security holes? Besides, from my knowledge, the malicious users are generally the script kiddies who just latch on to and exploit security holes discovered by the people who are just looking to do good.

And some of these "hacks" are incredibly clever... there's no denying that the people who came up with some of these hacks are very clever indeed.
kak Newbie

kak

Posted
Posted

There is a driver error that is preventing me from downloading the 2.1.5-2.1.6 upgrade patch 



mySQL query error: SELECT * FROM download_packages WHERE download_id= AND download_allow LIKE '%,2,%'


SQL error: 

SQL error code: 

Date: Thursday 04th of May 2006 02:09:00 PM


I'm also getting that error message. Any clues?

Btw; When I downloaded IPB and ICB last week the support staff had to send me the packages by mail. I've tried absolutely everything to download it myself from the "client center", but it doesn't work. I've tried with Internet Explorer, Opera and Firefox, with and without firewalls, antivirus, routers and everything. And it still doesn't work to download the packages from the "client center".

Do anyone have any clues why? (It's rather boring to submit a ticket to ask them to mail it to me every time I need something.)

Thanks for any help!
reflection Newbie

reflection

Posted
Posted

Oh and btw, since that topic mentions act=reputation... I justw ant to point out there is a second reputation system mod at Invisionize which isnt an official download, where someone upgraded a 2.0 version. I believe that uses act=.



yes.. and I upgraded that same script for 2.1 yesterday cause it looks way better than that official one...

..and it does use act=reputation but I just checked for possible leaks and as far as I can see it got enough input validation in the code... for example, the pid var they referrin to, is validated by the intval() php function.... so it makes sure it's an integer.... noone can do a sql injection because of that validation....
TestingSomething Rising Star

TestingSomething

Posted
Posted

You know full well i was talking about hackers, not IPS looking for security holes to fill.

Plain and simple anyone who does that is screwed up. And you're VERY pathetic to act like it is fine to use "intelligence" to be malicious to others. i hope your board gets messed with.

Edited

reflection Newbie

reflection

Posted
Posted

You know full well i was talking about hackers, not IPS looking for security holes to fill.



Plain and simple anyone who does that is screwed up. And you're VERY pathetic to act like it is fine to use "intelligence" to be malicious to others. i hope your board gets messed with.



exactly my thoughts... I did get hacked with a 2.1.3 version by a german dude who just had a good time ######in with my website... on the other hand, people that check for these kinda leaks - call them hackers too -but hack with good intensions are needed on the internet... only way these leaks get discovered
Kman_ Newbie

Kman_

Posted
Posted

Seems to me that you're the idiot.



Have you ever considered that there are people who look for ways to hack software like IPB so that they make IPS aware of security holes? Besides, from my knowledge, the malicious users are generally the script kiddies who just latch on to and exploit security holes discovered by the people who are just looking to do good.



And some of these "hacks" are incredibly clever... there's no denying that the people who came up with some of these hacks are very clever indeed.



I agree with BASHERS33 on this one. How can you have respect for someone who wastes his days trying to ruin other people's work?
bfarber Grand Master

bfarber

Posted
Posted

People - please stop. I don't want to lock this thread. :rolleyes:

There are hackers out there plain and simple. Nothing is going to change that.

Some of those hackers aren't true hackers - they don't try to deface or break your board. Instead, they look for exploits and report them to the author of the software so they can fix it before someone bad finds it first. Or they are looking for exploits for the sole intention of patching their own site (i.e. security analysts at a corporation). It's all in what you do with the information.

Two of the exploits we patched, the original 4-25 patch, were reported to us before the security sites, and we were given enough time to release the patch before they were reported to the security sites. If it wasn't for people like that, the bad ones would find these things first and we'd be the last to know -

I don't condone malicious use of exploits, but I do applaud those that look for them and report them to the vendor before anyone else finds out.

Spack Newbie

Spack

Posted
Posted

Hey guys,

Is the exploit in action_public/search.php fixed in 2.1.6?
http://www.osvdb.org/25005

Just one of my friends boards ( 2.1.3 ) got hacked using this yesterday. We determined it was this because of the useragent and access logs provided from his host then we hit google and found it.

Thanks

marcele Enthusiast

marcele

Posted
Posted

Shout out goes to W1lz0r for adding the much need attachment management to the blog! (And for updating all the sql query methods) :)

bfarber Grand Master

bfarber

Posted
Posted

Everyone should upgrade to 2.1.6, yes. It fixes a few security issues, it's just too important not to.

Where is this "changed files only" upgrade pack I was promised in the IPS news email?



The link is in the announcement thread itself. :)
dling Apprentice

dling

Posted
Posted

I have 2.1.4. do I need to upgrade to 2.1.5 and then 2.1.6 or what do you suggest?



Dave



Sorry, I guess what I should have said is, in order to upgrade to 2.1.6 must I upgrade to 2.1.5 first from 2.1.4? And then do the 2.1.6 upgrade?

Dave
Mark Goldstein Newbie

Mark Goldstein

Posted
Posted

I've successfully upgraded to 2.1.6, but have lost the few changes that I made to the IPB 2.1 Default skin.

Is there an easy way to restore the changes (new logo, extra navigation links) or will I have to edit the skin again?

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...