IPS Releases Updates to Community Suite

[ellawella]

You do realise .ru is the Russian national top level domain? These people's only crime is likely being Russian. :huh:

[Adam Kinder]

You do realise .ru is the Russian national top level domain? These people's only crime is likely being Russian. :huh:

Except for in the above cases, they were trying to take advantage of an exploit, so deleting and banning the IP was warranted.

[ellawella]

Except for in the above cases, they were trying to take advantage of an exploit, so deleting and banning the IP was warranted.

I was talking to Brandon C who has apparently deleted all Russian members from his board. Petrescu was of course right to delete the user because they hacked his board, however the fact that it was a .ru email address is probably insignificant IMO.

[GolfDude]

did you guys take out the 2.1.6 update? b/c i cant get it to download.. keep getting page not found, and thinks im not logged in, although i am..

[Brandon C]

did you guys take out the 2.1.6 update? b/c i cant get it to download.. keep getting page not found, and thinks im not logged in, although i am..

Works just fine for me.

@ellawella: I didn't remove .ru, just the ones who were the hackers. Sorry if I misconceived you.

[paul_h]

Hi
Regarding that forum 2.1.5 to 2.1.6 upgrade, someone might want to
include the 'upgrade' instruction in the download pack,
otherwise the 'admin' side still says 2.1.5

There I was thinking it was 2.1.6 (like it says under the board page,
after uploading the filesset)

[abobader]

Well done IPS!

Update from 2.1.4 to 2.1.6 went very well.

Only problem, javascript no longer working, but I am the issue easy to fix.

Again, many thanks.

[UBERHOST.NET]

Hi

Regarding that forum 2.1.5 to 2.1.6 upgrade, someone might want to

include the 'upgrade' instruction in the download pack

RTFM! :lol:

Honestly, it's there mate:

• Upload all the files contained in the "upload" folder of the download distribution EXCEPT conf_global.php. Don't forget to update files such as "ipb_templates.xml", "index.php", "admin.php" and the "upgrade" folders.
• Run the upgrade system by accessing "upgrade/index.php" on your system (for example: www.domain.com/forum/upgrade/index.php) this will determine which upgrade modules need to be run and will rebuild your templates for you.
  

[athlonkmf]

About that newest security fix

I haven't looked into it more, but I wonder why they would make this this way:

if ( $this->ipsclass->input['df'] ) { $html_forums = preg_replace( "/<option value=\"".intval($this->ipsclass->input['df'])."\"/", "<option value=\"".$this->ipsclass->input['df']."\" selected", $html_forums ); }

and not add another intval at the 2nd $this->ipsclass->input['df'] intvalled too. so it looks like this

if ( $this->ipsclass->input['df'] ) { $html_forums = preg_replace( "/<option value=\"".intval($this->ipsclass->input['df'])."\"/", "<option value=\"".intval($this->ipsclass->input['df'])."\" selected", $html_forums ); }

[Rikki]

The first option value is what is being replaced, that's the important one that goes into the regex. The second one is just the replacement, it shouldn't require the same sanitation.

[Mark Goldstein]

Hi,

My current version of IPB is v2.1.6 (ID: 21012.60504.u).
Can I upgrade to 21012.60516.s using the patch?

If so, do I just have to upload the 3 new files over the old versions?

[Coastie]

Hi,

My current version of IPB is v2.1.6 (ID: 21012.60504.u).

Can I upgrade to 21012.60516.s using the patch?

If so, do I just have to upload the 3 new files over the old versions?

yes/yes

[ellawella]

I have to say, the new ACP security update image is very scary. :unsure:

[athlonkmf]

The first option value is what is being replaced, that's the important one that goes into the regex. The second one is just the replacement, it shouldn't require the same sanitation.

I haven't taken a further look at the rest of teh code, but that's exactly why I wrote it. The replacement should be more prone for attack than the thing being replaced.


so if I say preg_replace ("blabla", "blabla;do something bad.sql",@txt) then the "blabla; do something bad.sql" could possible be thrown into the DB.
And besides, just to be consequent to the "clean everything" rule, just intval/escape all input-stuff without thinking, that is the easiest way.

[bfarber]

No, the replacement is just going to be added to the select option. It will be sanitized upon input if it's used, but it's not going to hurt anything the way it is.

The reason the FIRST value needs to be intval'd is because (in theory) someone could input something to get eval'd - that is how the search exploit works (the one patched on 4/25).

It won't hurt anything the way it is. If someone puts something "bad" in, and it gets put in the select option

a) It can't be used for XSS as they are the only ones who will see it
b) If they put something bad in and submit it, it's just the same as if they crafted their own form and submitted - IPB will sanitize it if that option is submitted as being used

[Real Deal]

I just went through and "attempted" to upgrade my board overnight, and I got this:

Fatal error: Unable to read 57101 bytes in /home/ontherea/public_html/sources/ipsclass.php on line 0

I've done everything, and it's not working. Anywhere I may have messed up? :(

[princetontiger]

Very weird.

I would upload the ipsclass.php again and submit a ticket

[bgrd]

My ACP is showing my version as v2.1.6 (ID: 21012.060516.s)

Have I got a special version? :lol:

[Real Deal]

I uploaded it in ASCII, Auto, and neither worked...then tried CHMOD'ing it, and it did nothing.

[princetontiger]

I would submit a ticket.

Good luck with your site... I think I've visited it before when I was looking for some NCAA stuff. Was most likely the "basketball" theme of the site. :)

[Real Deal]

I would submit a ticket.

Good luck with your site... I think I've visited it before when I was looking for some NCAA stuff. Was most likely the "basketball" theme of the site. :)

I submitted one about 10-12 hours ago...just trying to be patient. :)

Thanks...I did a huge overhaul on the site, actually...it was pretty nice, I customized the skin and put up banners for all the teams myself. We're at around 160,000 posts and almost 700 members now. :thumbsup:

[ellawella]

I just went through and "attempted" to upgrade my board overnight, and I got this:

[b]Fatal error: Unable to read 57101 bytes in /home/ontherea/public_html/sources/ipsclass.php on line 0[/b]

I've done everything, and it's not working. Anywhere I may have messed up? :(

Google's cache from 13 May shows your board version as 2.1.4. Did you try to go straight from 2.1.4 to this recent security update?

[Real Deal]

Google's cache from 13 May shows your board version as 2.1.4. Did you try to go straight from 2.1.4 to this recent security update?

From 2.1.4 to 2.1.6 is correct. I read that you could do that, as long as you copied all the files and performed the upgrade, instead of using the easy upgrade method. Did I misread something? :unsure:

[ellawella]

You needed to have 2.1.6 in place before you applied the latest update.

What you should have done is upgraded from 2.1.4 to 2.1.6. I don't believe the security update would even be required afterwards if you had done that because IPS normally update the main download zip after they discover vulnerabilities.

If you are running a version previous to 2.1.6, please update to 2.1.6 by downloading the main download zip.

:thumbsup:

[Real Deal]

You needed to have 2.1.6 in place before you applied the latest update.

What you should have done is upgraded from 2.1.4 to 2.1.6. I don't believe the security update would even be required afterwards if you had done that because IPS normally update the main download zip after they discover vulnerabilities.

:thumbsup:

That's what I was doing, upgrading from 2.1.4 to 2.1.6 :(