WHERE IS Security Update: 3rd May 2013 FIX FOR 3.1.X version?

[Maxxius]

A critical security issue has been reported to us which may allow unauthorized access to an administrator account. We are releasing a security patch to address this issue. In the interest of allowing customers ample amount of time to apply the patch, we are not disclosing further details at this time.

where is the 3.1.x version patch?

people still use this you know. I can't see why do choose not to release a patch for 3.1.x when 4.0 isn't there yet.

please make a patch for 3.1.x as well!

[Rhett]

Hello, the 3.1 version was end of life in July of 2012, and the 3.2 version will be end of life in July of this year, we don't provide patches for unsupported software I'm afraid.

We would recommend upgrading to a newest version of 3.4.4

Thank you for understanding.

[Maxxius]

yes it was, but you managed to post security fixes nontheless not so long ago for 3.1.x when its allegedly was EOL'ed.

its not like I'm, talking about customer support. its security were talking about...

[Bob van Leeuwen]

Back then in November 3.1 3 months past its EOL date, something around 10 months ago. They got to stop a some point. And that point is now.

[Charles]

Back then in November 3.1 3 months past its EOL date, something around 10 months ago. They got to stop a some point. And that point is now.

Yes this is correct. Version 3.1 is ancient and at some point no amount of little security patches will make the overall platform secure, efficient, or appropriate for long term use. Software by its very nature ages and sometimes you need to update.

[Maxxius]

yes I will indeed update it once 3.4.X branch will get its final version.

right now I dont want to use 3.4.4, make its design from scratch, then 3.4.5 or 3.4.6 comes along and I have to re-work the design again too much work and too little time on my hands.

[Bob van Leeuwen]

Those minor version wont have major skin changes, and there will be a difference report so that you can apply the patches manual. I also don't thing that you can now which version of 3.4 will be the last before 4.0 is released.

[Dmacleo]

how do you know the security issue even exists in 3.1.x?

[rastaX]

Since this is a CRITICAL update, IPS is basically leaving untold sites twisting in the wind. I understand the need to put old software to rest, but since the 3.x series is still current, it is not unreasonable to expect some will wait to update until the 4.x release. If the update process from 3.1 software wasn't daunting, I would say you are being realistic to expect people to upgrade to a newer version. But since it will entail quite a bit of work, this policy will leave a LOT of customers AT RISK. I have been waiting to see what 4.0 brings to the table before deciding whether IPS is still the best solution for my needs. I currently turned my board off and will have to make this determination based on the current software. I simply am unwilling to renew all my third party apps and hooks at this time. I updated my other board (3.2) promptly.

Since IPS hasn't said otherwise, I must assume this security hole puts me at risk.

[Dmacleo]

again I ask, do you even know the risk is applicable to 3.1?

w/o knowing the specifics of the hole its hard to say and 3.1 users may actually be ok.

I am NOT saying 3.1 is ok as is, just saying we don't know.

I wish IPS would check that and confirm.

[Grimace`]

yes it was, but you managed to post security fixes nontheless not so long ago for 3.1.x when its allegedly was EOL'ed.

its not like I'm, talking about customer support. its security were talking about...

Then maybe you should get with the times and actually upgrade to something that is not EOL...right?

[charlestest]

Since this is a CRITICAL update, IPS is basically leaving untold sites twisting in the wind. I understand the need to put old software to rest, but since the 3.x series is still current, it is not unreasonable to expect some will wait to update until the 4.x release. If the update process from 3.1 software wasn't daunting, I would say you are being realistic to expect people to upgrade to a newer version. But since it will entail quite a bit of work, this policy will leave a LOT of customers AT RISK. I have been waiting to see what 4.0 brings to the table before deciding whether IPS is still the best solution for my needs. I currently turned my board off and will have to make this determination based on the current software. I simply am unwilling to renew all my third party apps and hooks at this time. I updated my other board (3.2) promptly.

Since IPS hasn't said otherwise, I must assume this security hole puts me at risk.

You are really missing some things in your logic. Why don't we put it back to 3.0 too? Or 2.3? What about 1.3?

Sure this SPECIFIC security issue will not be back-ported to 3.1, 3.0, 2.x, 1.x, etc. but those very old versions are surely full of lots of other issues too. ... I don't know that for certain but because we obviously don't actively go back in time and audit out of date code it seems very risky on your part to just assume very old code is secure.

You have made the choice to continue to use software that we released in 2010. It's the nature of the web that technology changes at a rapid pace.

[Marcher Technologies]

This may sound harsh....

Anyone seen a 2.x Security update patch? No. Why? Because at this point in time it is tantamount to putting a band-aid on a chest gun wound.

Same thing here. The 3.1.x code-base has countless old bugs present that have already been fixed.

[Charles]

You are really missing some things in your logic. Why don't we put it back to 3.0 too? Or 2.3? What about 1.3?

Sure this SPECIFIC security issue will not be back-ported to 3.1, 3.0, 2.x, 1.x, etc. but those very old versions are surely full of lots of other issues too. ... I don't know that for certain but because we obviously don't actively go back in time and audit out of date code it seems very risky on your part to just assume very old code is secure.

You have made the choice to continue to use software that we released in 2010. It's the nature of the web that technology changes at a rapid pace.

This was me under the wrong account btw :)

[rastaX]

While 3.1 may have been released in late 2010, 3.2 wasn't released until late July, 2011. Meaning less than 2 years to EOL. And it's not like it's recommended procedure to upgrade immediately whenever a new version is released either.

In my mind the keyword here is CRITICAL. It's confirmed, it's dangerous and it's known. No one's asking for unlimited support of older software. To bring up 2.x is irrelevant. I've been with you guys since '04 so I pretty well know I'm whizzin' into the wind here. Just sayin'. Ignoring a critical patch for software that is not terribly old, with a somewhat intensive upgrade path, is gonna leave a lot of people vulnerable.

[blair]

+1 This should have been released for 3.1.4. it's a CRITICAL security update and took me <15 minutes. I just ran a diff report, but it appears pretty straightforward...

vers. 3.1.4

adminsourcesbasecore.php

Find (~line 4878):

$email = trim($email);
  $email = str_replace( " ", "", $email );

Replace:

//$email = trim($email);
  //$email = str_replace( " ", "", $email );

Find (~line 6317):

if ( ! is_array( $member_key ) )
  {
   if ( strstr( $member_key, '@' ) )

Add after:

if( strstr( $member_key, ' ' ) )
     {
      $member_key = '';
     }

Find (~line 6569):

else
   {
    if ( strstr( $member_key, '@' ) )
    {

Add after:

if( strstr( $member_key, ' ' ) )
     {
      $member_key = '';
     }

Find (~line 6635):

case 'email':
     if ( is_array( $member_key ) )
     {
array_walk( $member_key, create_function( '&$v,$k', '$v="'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "'";' ) );
      $multiple_ids = $member_key;
     }
     else
     {

Add after:

if( strstr( $member_key, ' ' ) )
      {
       $member_key = '';
      }

P.S. vBulletin is still releasing security patches for vB3, and it was released in 2004. vB3.8 in 2008. I'd suggest a review in IPS policy.

Edit 2: Not to mention the security update released 6 weeks ago, while 3.1.4 was also EOL included a patch for 3.1.4? Confusing? Let's have a consistent policy please.

[Maxxius]

thanks blair for the insights.

if that is indeed a full list of changes that need to be done I consider this a very small patch which should have been done by IPS nontheless. just a few lines, common.. would it kill you to do it yourselves? :)

[blair]

2.3.4 didn't allow email login, so I doubt this applies, but again it would be nice to have confirmation.

[Cyrem]

Oh the problems 'just a little more' can cause... before you know it, you've gone too far and behind on the work you should've be doing. I believe this is true for most, if not, all developers.

(This against continued releasing of patches of EOL versions if you are unsure of the meaning)

[Grimace`]

2.3.4 didn't allow email login, so I doubt this applies, but again it would be nice to have confirmation.

I thought it did allow you to chose email/username login if you set it up in the admin CP?

[Cyrem]

I thought it did allow you to chose email/username login if you set it up in the admin CP?

You're not seriously discussing the 2x series... are you?

WELP! If we are going to look at 2.x.... Lets get every version out and check for holes... because there's probably some Pokemon fansite out there running on 1.2 that needs our help! Someone might exploit them after so many years... WE MUST SAVE THEM!

[Grimace`]

You're not seriously discussing the 2x series... are you?

It was just a question for blair, don't get so worked up, welp.

[Cyrem]

It was just a question for blair, don't get so worked up, welp.

:hmm:

I didn't... I made I joke out of it. (The last 4 words should have been the clear give away... and the Pokemon bit... even the 1.2)

Welp.

[blair]

@ Cyrem, I see you joined in 2009. If you look at my profile, I joined in 2003. I still have a site running 2.3.4. It's the little engine that could. It just steadily, and slowly grows. I also have a 3.1.4 site that lost significant traffic after upgrading fro 2.3.4 (other sites as well). I used to be someone that upgraded the day an update became available. Now, I guess I'm older and wiser. The longer you have your forum, the more you'll realize not all upgrades are improvements.

3.4.4 is the first upgrade I've considered in a long time. I'm making progress on a dev server, but I shouldn't be forced into an emergency upgrade (no skin, lost mods) because of an unpatched security issue. I understand not offering support (even with a paid license), and I have a Facebook login issue that could use some support. I don't understand leaving known security issues unpatched.

Every unpatched 3.1.4 forum, 2.3.4 forum... could be the next server that helps DDoS your site (or this one). That infects your computer with malware. That sends you spam. It's irresponsible to leave them unpatched.

[Marcher Technologies]

@ Cyrem, I see you joined in 2009. If you look at my profile, I joined in 2003. I still have a site running 2.3.4. It's the little engine that could. It just steadily, and slowly grows. I also have a 3.1.4 site that lost significant traffic after upgrading fro 2.3.4 (other sites as well). I used to be someone that upgraded the day an update became available. Now, I guess I'm older and wiser. The longer you have your forum, the more you'll realize not all upgrades are improvements.

3.4.4 is the first upgrade I've considered in a long time. I'm making progress on a dev server, but I shouldn't be forced into an emergency upgrade (no skin, lost mods) because of an unpatched security issue. I understand not offering support, and I have a Facebook login issue that could use some support. I don't understand leaving known security issues unpatched.

Every unpatched 3.1.4 forum, 2.3.4 forum... could be the next sever that helps DDoS your site. That infects your computer with malware. It's irresponsible to leave them unpatched.

Reverse that Blair.

Do you see PHP issuing security patches for 3/4? No, you don't, in fact it is irresponsible to be running those versions at this time.

It is similarly irresponsible to be running 2.3, which hasn't seen a security patch for years.