Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
Maxxius Posted May 5, 2013 Posted May 5, 2013 A critical security issue has been reported to us which may allow unauthorized access to an administrator account. We are releasing a security patch to address this issue. In the interest of allowing customers ample amount of time to apply the patch, we are not disclosing further details at this time. where is the 3.1.x version patch? people still use this you know. I can't see why do choose not to release a patch for 3.1.x when 4.0 isn't there yet. please make a patch for 3.1.x as well!
Rhett Posted May 5, 2013 Posted May 5, 2013 Hello, the 3.1 version was end of life in July of 2012, and the 3.2 version will be end of life in July of this year, we don't provide patches for unsupported software I'm afraid. We would recommend upgrading to a newest version of 3.4.4 Thank you for understanding.
Maxxius Posted May 5, 2013 Author Posted May 5, 2013 yes it was, but you managed to post security fixes nontheless not so long ago for 3.1.x when its allegedly was EOL'ed. its not like I'm, talking about customer support. its security were talking about...
Bob van Leeuwen Posted May 5, 2013 Posted May 5, 2013 Back then in November 3.1 3 months past its EOL date, something around 10 months ago. They got to stop a some point. And that point is now.
Management Charles Posted May 5, 2013 Management Posted May 5, 2013 Back then in November 3.1 3 months past its EOL date, something around 10 months ago. They got to stop a some point. And that point is now. Yes this is correct. Version 3.1 is ancient and at some point no amount of little security patches will make the overall platform secure, efficient, or appropriate for long term use. Software by its very nature ages and sometimes you need to update.
Maxxius Posted May 5, 2013 Author Posted May 5, 2013 yes I will indeed update it once 3.4.X branch will get its final version. right now I dont want to use 3.4.4, make its design from scratch, then 3.4.5 or 3.4.6 comes along and I have to re-work the design again too much work and too little time on my hands.
Bob van Leeuwen Posted May 5, 2013 Posted May 5, 2013 Those minor version wont have major skin changes, and there will be a difference report so that you can apply the patches manual. I also don't thing that you can now which version of 3.4 will be the last before 4.0 is released.
Dmacleo Posted May 5, 2013 Posted May 5, 2013 how do you know the security issue even exists in 3.1.x?
rastaX Posted May 5, 2013 Posted May 5, 2013 Since this is a CRITICAL update, IPS is basically leaving untold sites twisting in the wind. I understand the need to put old software to rest, but since the 3.x series is still current, it is not unreasonable to expect some will wait to update until the 4.x release. If the update process from 3.1 software wasn't daunting, I would say you are being realistic to expect people to upgrade to a newer version. But since it will entail quite a bit of work, this policy will leave a LOT of customers AT RISK. I have been waiting to see what 4.0 brings to the table before deciding whether IPS is still the best solution for my needs. I currently turned my board off and will have to make this determination based on the current software. I simply am unwilling to renew all my third party apps and hooks at this time. I updated my other board (3.2) promptly. Since IPS hasn't said otherwise, I must assume this security hole puts me at risk.
Dmacleo Posted May 5, 2013 Posted May 5, 2013 again I ask, do you even know the risk is applicable to 3.1? w/o knowing the specifics of the hole its hard to say and 3.1 users may actually be ok. I am NOT saying 3.1 is ok as is, just saying we don't know. I wish IPS would check that and confirm.
Grimace` Posted May 5, 2013 Posted May 5, 2013 yes it was, but you managed to post security fixes nontheless not so long ago for 3.1.x when its allegedly was EOL'ed. its not like I'm, talking about customer support. its security were talking about... Then maybe you should get with the times and actually upgrade to something that is not EOL...right?
charlestest Posted May 5, 2013 Posted May 5, 2013 Since this is a CRITICAL update, IPS is basically leaving untold sites twisting in the wind. I understand the need to put old software to rest, but since the 3.x series is still current, it is not unreasonable to expect some will wait to update until the 4.x release. If the update process from 3.1 software wasn't daunting, I would say you are being realistic to expect people to upgrade to a newer version. But since it will entail quite a bit of work, this policy will leave a LOT of customers AT RISK. I have been waiting to see what 4.0 brings to the table before deciding whether IPS is still the best solution for my needs. I currently turned my board off and will have to make this determination based on the current software. I simply am unwilling to renew all my third party apps and hooks at this time. I updated my other board (3.2) promptly. Since IPS hasn't said otherwise, I must assume this security hole puts me at risk. You are really missing some things in your logic. Why don't we put it back to 3.0 too? Or 2.3? What about 1.3? Sure this SPECIFIC security issue will not be back-ported to 3.1, 3.0, 2.x, 1.x, etc. but those very old versions are surely full of lots of other issues too. ... I don't know that for certain but because we obviously don't actively go back in time and audit out of date code it seems very risky on your part to just assume very old code is secure. You have made the choice to continue to use software that we released in 2010. It's the nature of the web that technology changes at a rapid pace.
Marcher Technologies Posted May 5, 2013 Posted May 5, 2013 This may sound harsh.... Anyone seen a 2.x Security update patch? No. Why? Because at this point in time it is tantamount to putting a band-aid on a chest gun wound. Same thing here. The 3.1.x code-base has countless old bugs present that have already been fixed.
Management Charles Posted May 5, 2013 Management Posted May 5, 2013 You are really missing some things in your logic. Why don't we put it back to 3.0 too? Or 2.3? What about 1.3? Sure this SPECIFIC security issue will not be back-ported to 3.1, 3.0, 2.x, 1.x, etc. but those very old versions are surely full of lots of other issues too. ... I don't know that for certain but because we obviously don't actively go back in time and audit out of date code it seems very risky on your part to just assume very old code is secure. You have made the choice to continue to use software that we released in 2010. It's the nature of the web that technology changes at a rapid pace. This was me under the wrong account btw :)
rastaX Posted May 5, 2013 Posted May 5, 2013 While 3.1 may have been released in late 2010, 3.2 wasn't released until late July, 2011. Meaning less than 2 years to EOL. And it's not like it's recommended procedure to upgrade immediately whenever a new version is released either. In my mind the keyword here is CRITICAL. It's confirmed, it's dangerous and it's known. No one's asking for unlimited support of older software. To bring up 2.x is irrelevant. I've been with you guys since '04 so I pretty well know I'm whizzin' into the wind here. Just sayin'. Ignoring a critical patch for software that is not terribly old, with a somewhat intensive upgrade path, is gonna leave a lot of people vulnerable.
blair Posted May 6, 2013 Posted May 6, 2013 +1 This should have been released for 3.1.4. it's a CRITICAL security update and took me <15 minutes. I just ran a diff report, but it appears pretty straightforward... vers. 3.1.4 adminsourcesbasecore.php Find (~line 4878): $email = trim($email); $email = str_replace( " ", "", $email ); Replace: //$email = trim($email); //$email = str_replace( " ", "", $email ); Find (~line 6317): if ( ! is_array( $member_key ) ) { if ( strstr( $member_key, '@' ) ) Add after: if( strstr( $member_key, ' ' ) ) { $member_key = ''; } Find (~line 6569): else { if ( strstr( $member_key, '@' ) ) { Add after: if( strstr( $member_key, ' ' ) ) { $member_key = ''; } Find (~line 6635): case 'email': if ( is_array( $member_key ) ) { array_walk( $member_key, create_function( '&$v,$k', '$v="'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "'";' ) ); $multiple_ids = $member_key; } else { Add after: if( strstr( $member_key, ' ' ) ) { $member_key = ''; } P.S. vBulletin is still releasing security patches for vB3, and it was released in 2004. vB3.8 in 2008. I'd suggest a review in IPS policy. Edit 2: Not to mention the security update released 6 weeks ago, while 3.1.4 was also EOL included a patch for 3.1.4? Confusing? Let's have a consistent policy please.
Maxxius Posted May 6, 2013 Author Posted May 6, 2013 thanks blair for the insights. if that is indeed a full list of changes that need to be done I consider this a very small patch which should have been done by IPS nontheless. just a few lines, common.. would it kill you to do it yourselves? :)
blair Posted May 6, 2013 Posted May 6, 2013 2.3.4 didn't allow email login, so I doubt this applies, but again it would be nice to have confirmation.
Cyrem Posted May 6, 2013 Posted May 6, 2013 Oh the problems 'just a little more' can cause... before you know it, you've gone too far and behind on the work you should've be doing. I believe this is true for most, if not, all developers. (This against continued releasing of patches of EOL versions if you are unsure of the meaning)
Grimace` Posted May 6, 2013 Posted May 6, 2013 2.3.4 didn't allow email login, so I doubt this applies, but again it would be nice to have confirmation. I thought it did allow you to chose email/username login if you set it up in the admin CP?
Cyrem Posted May 6, 2013 Posted May 6, 2013 I thought it did allow you to chose email/username login if you set it up in the admin CP? You're not seriously discussing the 2x series... are you? WELP! If we are going to look at 2.x.... Lets get every version out and check for holes... because there's probably some Pokemon fansite out there running on 1.2 that needs our help! Someone might exploit them after so many years... WE MUST SAVE THEM!
Grimace` Posted May 6, 2013 Posted May 6, 2013 You're not seriously discussing the 2x series... are you? It was just a question for blair, don't get so worked up, welp.
Cyrem Posted May 6, 2013 Posted May 6, 2013 It was just a question for blair, don't get so worked up, welp. :hmm: I didn't... I made I joke out of it. (The last 4 words should have been the clear give away... and the Pokemon bit... even the 1.2) Welp.
blair Posted May 6, 2013 Posted May 6, 2013 @ Cyrem, I see you joined in 2009. If you look at my profile, I joined in 2003. I still have a site running 2.3.4. It's the little engine that could. It just steadily, and slowly grows. I also have a 3.1.4 site that lost significant traffic after upgrading fro 2.3.4 (other sites as well). I used to be someone that upgraded the day an update became available. Now, I guess I'm older and wiser. The longer you have your forum, the more you'll realize not all upgrades are improvements. 3.4.4 is the first upgrade I've considered in a long time. I'm making progress on a dev server, but I shouldn't be forced into an emergency upgrade (no skin, lost mods) because of an unpatched security issue. I understand not offering support (even with a paid license), and I have a Facebook login issue that could use some support. I don't understand leaving known security issues unpatched. Every unpatched 3.1.4 forum, 2.3.4 forum... could be the next server that helps DDoS your site (or this one). That infects your computer with malware. That sends you spam. It's irresponsible to leave them unpatched.
Marcher Technologies Posted May 6, 2013 Posted May 6, 2013 @ Cyrem, I see you joined in 2009. If you look at my profile, I joined in 2003. I still have a site running 2.3.4. It's the little engine that could. It just steadily, and slowly grows. I also have a 3.1.4 site that lost significant traffic after upgrading fro 2.3.4 (other sites as well). I used to be someone that upgraded the day an update became available. Now, I guess I'm older and wiser. The longer you have your forum, the more you'll realize not all upgrades are improvements. 3.4.4 is the first upgrade I've considered in a long time. I'm making progress on a dev server, but I shouldn't be forced into an emergency upgrade (no skin, lost mods) because of an unpatched security issue. I understand not offering support, and I have a Facebook login issue that could use some support. I don't understand leaving known security issues unpatched. Every unpatched 3.1.4 forum, 2.3.4 forum... could be the next sever that helps DDoS your site. That infects your computer with malware. It's irresponsible to leave them unpatched. Reverse that Blair. Do you see PHP issuing security patches for 3/4? No, you don't, in fact it is irresponsible to be running those versions at this time. It is similarly irresponsible to be running 2.3, which hasn't seen a security patch for years.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.