Invision Going Downhill

[AshieF73]

I have been using Invision software now for over 10 years for my community, and in that time the level of service as declined in the last 3 or 4 years. I now feel this latest issue is a step too far, and I don't think I am being unreasonable to expect more from the software provider, afterall, you have made hundreds of pounds off me in the years I have been a customer.

After looking at my site via Google today after a user highlighted something to me, I noticed that our domain was being listed by Google as being compromised. When I looked further, it seems somehow a Russian website was being hosted from within the forum software via 'lofiversion/board' and since December too!

I did add the security patch back in December when it was released, but looking on the forums it is clear this was a much bigger issue that IPB seem to have been reporting. Also, the patch was no good if the website had already been breached.

Surely that little fact should have been emailed to all customer, or made clearly visible within the ACP. All I saw in the ACP was a warning to instal the patch.

The other issue is the fact that thew new, and horrible quote clearly makes filtered out abusive swear words visible when a user hits reply, yet Invision don't think this is that serious and have suggested we have to wait until the next upgrade.

So my advice is firstly to all users - check your own forums domain via Google, and check to make sure no dodgy .cgi or php appear in your root, and within other folders.

Sadly for me, I have a popular and large community, and little time, otherwise I would be switching to an alternative supplier quicksmart, but for now, I will look at my options, and move away from Invision if I can find a better option. Not so much because I don't like the software, but mainly because I feel let down by them and their decline in service over recent years.

[Charles]

As with any software security flaw, be it in our software or your computer's OS, if the system was compromised before you applied the fix then you will indeed have to do something to remove what malicious people may have injected into your system. We have a knowledge base article on this subject: https://www.invisionpower.com/support/kb/_/how-to-clean-your-site-from-infection-r27

This is the nature of software and we are certainly not "going downhill" because of an unfortunate security issue. Any software package from web sites scripts to operating systems to mobile apps can have security issues because there are people out there who actively look for them. I realize that you are are frustrated and therefore reacting strongly to someone hacking your site as it can be a very emotional and personal experience but I can assure you, as I am sure others can, that we do everything we can to be proactive on security and updates.

[Andrej]

Sadly for me, I have a popular and large community, and little time, otherwise I would be switching to an alternative supplier quicksmart, but for now, I will look at my options, and move away from Invision if I can find a better option. Not so much because I don't like the software, but mainly because I feel let down by them and their decline in service over recent years.

On any other software there can be an security flaw, so I doubt you solve any problems by moving to another solution.

[AshieF73]

I accept there will always be security flaws, but what I don't accept is the lack of pro-active notification about this recent one, and the lack of help from support today. It's not just this issue. its culmative over various issues from hosting, to support which is why I feel the company has gone downhill over the lasy 3 or 4 years.

[3DKiwi]

If anything IPS have been more proactive regarding security in recent times. It wasn't that long ago that unless you dropped by here regularly you wouldn't know about security patches. Now we get the red notification in the ACP plus in severe cases we get an email. What more can they do?

Forum admins should be checking their site / forum regularly for malware. I scan my site here: http://sitecheck.sucuri.net/scanner/

You know, not one of of my 25,000 members has said anything about the new quoting. I use it all the time and it's not the end of the world as some make it out to be.

3DKiwi

[Enkidu]

while I don't think it is IPS's fault that someone got his board compromised, I'm concerned with the recent security vulnerabilities that are being discovered lately. They are now at the rate of one per month?

My suggestion is that we should have something to tell us that we have applied the patch because sometimes, you just don't know whether you have successfully applied the patch so why not "version" you security update so we can tell which is which.

For example, Let's say you have version 3.4.2 when the security update/patch is applied, it becomes 3.4.3. It doesn't cost money to do that and surely your clients can tell that the patch is applied successfully.

[Hexsplosions]

I find IPS to be very proactive in addressing security issues. No criticisms.

There are a couple of improvements that I might like to see, though I don't have any real technological knowledge though, so what I am suggesting might be hard to implement! I can only suggest them as a customer as they are things I would find valuable.

1. I'd like to see a way of deploying patches from within the ACP. There are other less sophisticated softwares out there with this functionality.
2. I'd like a simple front end notification that a security update is available (alongside the AdmicCP and ModCP links perhaps). I don't go into the ACP daily, however I do visit my forum daily.

With regards to IPB "going downhill", I think that's beyond mere exxageration. I've been a customer for a while now with multiple licences and I am as happy with IPS now as when I first joined.

[Charles]

while I don't think it is IPS's fault that someone got his board compromised, I'm concerned with the recent security vulnerabilities that are being discovered lately. They are now at the rate of one per month?

My suggestion is that we should have something to tell us that we have applied the patch because sometimes, you just don't know whether you have successfully applied the patch so why not "version" you security update so we can tell which is which.

For example, Let's say you have version 3.4.2 when the security update/patch is applied, it becomes 3.4.3. It doesn't cost money to do that and surely your clients can tell that the patch is applied successfully.

You should not be concerned that vulnerabilities are being discovered you should be happy that we are finding them and releasing patches before they become major problems :). For example, the Gallery update we made yesterday is not something anyone has ever exploited but it's still something we wanted to get a fix out for before anyone did.

Actually it does indeed cost money to increment a version number - quite a lot in fact. Think about all the overhead that goes into a release. While you may understand a minor update release we service many thousands of clients who do not all understand such things :)

[Charles]

I find IPS to be very proactive in addressing security issues. No criticisms.

There are a couple of improvements that I might like to see, though I don't have any real technological knowledge though, so what I am suggesting might be hard to implement! I can only suggest them as a customer as they are things I would find valuable.

1. I'd like to see a way of deploying patches from within the ACP. There are other less sophisticated softwares out there with this functionality.
2. I'd like a simple front end notification that a security update is available (alongside the AdmicCP and ModCP links perhaps). I don't go into the ACP daily, however I do visit my forum daily.

With regards to IPB "going downhill", I think that's beyond mere exxageration. I've been a customer for a while now with multiple licences and I am as happy with IPS now as when I first joined.

Both 1 and 2 are things we're working on :)

For #2 we wanted to be able to, for extremely critical issues, all but disable the AdminCP until the patch is applied.

[GreenLinks]

Security issues will always happen , no matter what you will do , there will be people who are constantly spending time on debugging code to find vulnerabilities. We are human being , don't forget that , we all make mistakes as it is in our nature to do so. Important thing within security issues is the response time. If the company is acting fast to release a patch , then there is absolutely no issue. Though i suggest IPS to send out e-mail for security issues. For a regular person who doesn't visit IPB forums everyday , will highly possible miss the security issue. Yes there is a notice on Admin Panel , however again Admin Control Panel is not an area to be visited daily.

[jackflash]

Getting spammed and or hacked is simply the nature of running a website. I don't agree that IPS is going downhill though.

[Hexsplosions]

Both 1 and 2 are things we're working on :smile:

For #2 we wanted to be able to, for extremely critical issues, all but disable the AdminCP until the patch is applied.

Great news Charles, thank you. :D

[NiftyWolfie]

For #2 we wanted to be able to, for extremely critical issues, all but disable the AdminCP until the patch is applied.

This is something that I would be happy to see but I can imagine it causing a lot of hassles as some customers wont like being "forced" to do something.

I can understand about being upset over a compromised board (been there myself a few weeks ago) but IPS support do everything (and more) that they can do if you ask them for help. They have documentation now to give extra advice on what to check.

Regrading not knowing you had been compromised, maybe someone that's more knowledgeable about finding these things could do a write-up in the customer document's area on how to look after/protect your site from some of these invasions.

I find it important to read these forums as alot of knowledge is given out sometimes quite randomly about things that I find important to protecting my site. If your unsure use the search to look for answers and check out some of the links posted. There is alot of info on these forums, if you take the time to look and read it.

PS if this doesn't read right I apologise ..... not had alot of sleep this week :)

[4joys]

I do not believe that IPS is going downhill, in fact I believe the opposite. Among all the major bulletin board platforms, I believe that the future is the best with IPS. I would not be running my boards with IPS if that was not the case. When I open a ticket, I'm pleased with the response time. I understand the weekend skeleton crew also, so I take that into consideration when looking for a response from a ticket. Sometimes somethings slip through the cracks, it happens to every company at one point.

I love the fact that they patch and update the software frequently, it is comforting to know that they are constantly working to improve and secure the software. Now I do have my gripes with how somethings are handled, but I would have that with any software that I did not write myself.

[Charles]

Sjv: we do send out emails for security issues.

This is something that I would be happy to see but I can imagine it causing a lot of hassles as some customers wont like being "forced" to do something.

I would not literally disable the AdminCP but make it so it's like "no, seriously, install this update... ok yeah really you need to to this..." etc. Sometimes people need to be forced for their own good :)

[AndyF]

Sjv: we do send out emails for security issues.

I would not literally disable the AdminCP but make it so it's like "no, seriously, install this update... ok yeah really you need to to this..." etc. Sometimes people need to be forced for their own good :smile:

I think one idea on a way to do that would be (if the issue reported was flagged important enough) would be similar to the red IP.Board Bulletin box we have now, but as well as it showing on the ACP home page, immediately after login have it shown on its own page before you get to the ACP homepage as well so there's no way to not see it. Think of something similar to the 'upgrade' redirection if an app version is detected but not upgraded but without the 'forced' redirection. You'd be able to click to go the ACP but it would at least mean it would be seen.

[steve00]

perhaps a message that appears on the forum that onlyadmins can see .... not everyone visits their admincp area everytime they go to their forum ?

Personally, I think that whatever is decided it will please some but not others.

A must have though is the email (not everyone visits here everyday and not everyone visits their own admincp every day)

[Misi]

A must have though is the email (not everyone visits here everyday and not everyone visits their own admincp every day)

Yes,someone(like me) visits it rarely.

[Lindy]

I would also note again that you were ultimately hacked because of an insecure server - IPB was just the vehicle used and this can occur in any software, in spite of best efforts on the part of the developer.

A properly configured and secured server should not allow arbitrary PHP code to execute on an operating system level. exec(), system(), etc. should be disabled, open_basedir should be enabled and so forth.

We try to take every necessary precaution to protect you, but you and your host also need to do their part. Please see for more information.

I'm sorry for your frustration.

[Makoto]

Sometimes people need to be forced for their own good :smile:

Regardless of how much I'd agree with you, I'm also not fond of the idea of IPB being able to throw a kill-switch on my forums back-end, even if it's meant to serve a good purpose. I'm very proactive in working to keep my community secure and up-to-date myself. Also I just don't have a life. But I at least don't need babysitting. :P

I'd say if you want to help get peoples attention in the ACP, a simple dialogue window could do wonders, as it's something you actually have to click out of. Just a notice that there has been a critical security update, and that the client is STRONGLY urged to apply this update as soon as possible.

[miraclesun]

Also, for goodness' sake, PLEASE put a notice in the ACP in those messages that the message will go away even if you download the patch. There are always a dozen threads that start with "I updated my board but I still see the security notice in the ACP?" it only makes sense to say "this message will be removed on __" or something. Just a small annoyance.

[GreenLinks]

Sjv: we do send out emails for security issues.

Didn't receive any up to now.

[steve00]

Didn't receive any up to now.

Not sure if applies but have you enabled 'Send me news and information' in your 'My Settings >> Notifications Options'

[Dmacleo]

I've gotten a few emails about patches.

I get the notices in ACP.

I see the warnings here in this forum.

what more do people want?

[Andy Rixon]

I personally like this idea that AndyF came up with, at least you don't miss it and the AdminCP will still be useable. Additionally to this you can also have this message/page disappear when you have applied the security update. This really is a good idea and I think it should be added in the next major release.

I think one idea on a way to do that would be (if the issue reported was flagged important enough) would be similar to the red IP.Board Bulletin box we have now, but as well as it showing on the ACP home page, immediately after login have it shown on its own page before you get to the ACP homepage as well so there's no way to not see it. Think of something similar to the 'upgrade' redirection if an app version is detected but not upgraded but without the 'forced' redirection. You'd be able to click to go the ACP but it would at least mean it would be seen.