Jump to content

IPB Security Patch December 2013 for us dummies


TracyIsland
 Share

Recommended Posts

Okay, for those board admins who don't know exactly what to do, or don't upload files very often, I believe these are the implied steps in applying the security patch:

  1. download the .zip file to your desktop
  2. unzip the file
  3. now, don't upload the unzipped file that says 'ipb33_patch_dec_13' or whatever version shows for you ... instead, click on the file until you see 'admin' - that's the folder you want to upload!!
  4. upload the admin folder to your main /forums directory (meaning the main directory where you have installed ipb - for some of us, that name is different than /forums)
  5. and no, don't worry about uploading the contents of the admin folder separately; everything inside the admin folder will be uploaded and put in its correct place.

and if you feel embarrassed by the snickering comments posted here, don't. I'll bet those folks would take 3 hours to make pie dough from scratch, and have flour all over the kitchen and themselves.

Link to comment
Share on other sites

If you're running 3.4.4 (and probably anything before), do not apply the security fix yet. The ipsRegistry.php file will break your navigation menu because it references variables that don't exist in older versions.

Further to this, if you are running a version less than 3.4.6, then it's recommended you just upgrade instead, so you can get the added benefit of bug fixes as well.

Link to comment
Share on other sites

Further to this, if you are running a version less than 3.4.6, then it's recommended you just upgrade instead, so you can get the added benefit of bug fixes as well.

An IPS staffer has just implicitly said that they do not support 3.3.x anymore and for those who may not be as aware, will interpret that message to mean their board and their skin will function perfectly, with all 3rd party add-ons, with an immediate upgrade to 3.4.6

which is not true and will cause undue calamity to some or many.

Link to comment
Share on other sites

An IPS staffer has just implicitly said that they do not support 3.3.x anymore and for those who may not be as aware, will interpret that message to mean their board and their skin will function perfectly, with all 3rd party add-ons, with an immediate upgrade to 3.4.6

which is not true and will cause undue calamity to some or many.

I think you misquoted. :) I was referring specifically to the 3.4.x line. 3.3.x is still supported.

Link to comment
Share on other sites

If you're running 3.4.4 (and probably anything before), do not apply the security fix yet. The ipsRegistry.php file will break your navigation menu because it references variables that don't exist in older versions.

Can we get confirmation on this IPB? Does this apply to those of us who have applied the 3.3.x patch?

Charles, Matt, Lindy, BFarber ....

Link to comment
Share on other sites

There is a separate patch for 3.3 which should not break anything if applies to 3.3.x

The patch for 3.4.x, should be applied to 3.4.6, if you are running 3.4.0 through 3.4.5 the patch is included in 3.4.6 and it's recommended that you upgrade to 3.4.6 rather then patching. As far as skins, mods, hooks go, there shouldn't be any issues going from 3.4.0 to 3.4.6 as well so there should be no reason not to upgrade.

Link to comment
Share on other sites

There is a separate patch for 3.3 which should not break anything if applies to 3.3.x

The patch for 3.4.x, should be applied to 3.4.6, if you are running 3.4.0 through 3.4.5 the patch is included in 3.4.6 and it's recommended that you upgrade to 3.4.6 rather then patching. As far as skins, mods, hooks go, there shouldn't be any issues going from 3.4.0 to 3.4.6 as well so there should be no reason not to upgrade.

Phew ... thanks Rhett!

Link to comment
Share on other sites

I am sorry, but its not always possible to "just upgrade" to the latest version when a new patch comes out. In the past you used to release patches that would accommodate those who are not ready or have not upgraded to the latest version.

For example, I am on 3.4.5 and am unable to upgrade today. Does that mean that I will have a security hole until I do or can a patch be released for those of us not using the latest version of 3.4.x? If not, then you are essentially saying 3.4.x < 3.4.6 is no longer being supported.

Furthermore, your security notifications are completely misleading. If you say its for 3.4.x then its for 3.4.x and not just 3.4.6.

For everyone else, if you are running 3.4.5 you can definitely fix the Search sql injection by replacing the sql.php file. I am unsure on ipsRegistry or composite files as of yet.

I would appreciate if a staffer of IPS can provide more info.

Link to comment
Share on other sites

We ALWAYS release security patches against the latest version in each series. We have virtually never (barring major circumstances warranting us to do so) released a patch against each minor point release, and we have no plans to start.

If you are running 3.3.x we recommend installing the patch for 3.3.x.

If you are running 3.4.x we recommend installing the patch for 3.4.x. I am hearing (through the comments above) that the patch, built against 3.4.6 of course, does not work correctly on 3.4.4. If that is the case you will need to upgrade to 3.4.6 I'm afraid. We will not be releasing individual patches for 3.4.5, 3.4.4, 3.4.3, 3.4.2, and so on. It is not that those versions aren't supported, it is simply that we build patches against the latest version in a release series and if there is an incompatibility we will recommend that you upgrade. I am unaware of any specific reasons the patch wouldn't work against 3.4.5 at this time.

Link to comment
Share on other sites

The language you use in the security notifications is confusing at best. IPB states that the patch is for 3.4.x, which to me at least, means that it will work on all versions. If it was only meant to work on 3.4.6, it should state that and also state that everyone else needs to upgrade to fix the security hole. I have found that I need to specifically ask if this is so before applying new patches so that my forum does not break. Can IPB confirm what versions the patches can be applied to before making blanket major version statements?

In the past IPB would sometimes release manual patches for those of us who were unable to update. Examples are:

'?do=embed' frameborder='0' data-embedContent>>

'?do=embed' frameborder='0' data-embedContent>>


This is the diff for ipsRegistry.php for 3.4.5 and the patch. I have composite.php listed underneath. Do you see any issues with my replacing my 3.4.5 files with the patch? sql.php was an obvious OK so that was replaced already.

 
5c5
<  * IP.Board vVERSION_NUMBER
---
>  * IP.Board v3.4.5
7c7
<  * Last Updated: $Date: 2013-12-03 15:31:58 +0000 (Tue, 03 Dec 2013) $
---
>  * Last Updated: $Date: 2013-05-20 16:38:23 -0400 (Mon, 20 May 2013) $
10c10
<  * @author            $Author: mmecham $
---
>  * @author            $Author: bfarber $
16c16
<  * @version           $Rev: 12425 $
---
>  * @version           $Rev: 12261 $
208c208
<        * making it all but useless.
---
>        * making it all but useless. 
262c262
<               {
---
>               { 
316c316
<                                       {
---
>                                       {
335c335
<                                                               IPSText::getTextClass('email')->buildHtmlContent( array() );
---
>                                                               IPSText::getTextClass('email')->buildHtmlContent( array() );
508c508
<               /* INIT DB */
---
>               /* INIT DB */ 
524,528d523
< 
<                               if ( $key === 'search_app' )
<                               {
<                                       $_POST[ $key ] = IPSText::htmlspecialchars( $value );
<                               }
589,597c584
<                       /* If they're using defaults show the file */
<                       if( file_exists( DOC_IPS_ROOT_PATH . 'cache/skin_cache/settingsEmpty.html' ) )
<                       {
<                               print file_get_contents( DOC_IPS_ROOT_PATH . 'cache/skin_cache/settingsEmpty.html' );
<                       }
<                       else /* otherwise the cache directory setting has possibly been customised which cannot be retrieved above, show a generic error */
<                       {
<                               print "Your settings could not be read by IP.Board possibly due to importing the database incorrectly.  This is a fatal error and IP.Board cannot function while this issue persists. Please contact IPS technical support for assistance.";
<                       }
---
>                       print file_get_contents( IPS_CACHE_PATH . 'cache/skin_cache/settingsEmpty.html' );
723c710
<                                       print json_encode( array(
---
>                                       print json_encode( array( 
742,743c729,730
<                                       $runme       = new $classToLoad( self::instance() );
<                                       $runme->doExecute( self::instance() );
---
>                                       $runme       = new $classToLoad( self::instance() ); 
>                                       $runme->doExecute( self::instance() ); 
750c737
<               {
---
>               {
755c742
<                       ipsRegistry::$settings['noCacheKey'] = md5('$Rev: 12425 $');
---
>                       ipsRegistry::$settings['noCacheKey'] = md5('$Rev: 12261 $');
885c872
<                                                       $pmember = array(
---
>                                                       $pmember = array( 
1103c1090
<                       throw new Exception( "$value is not an object" );
---
>                       throw new Exception( "$value is not an object" );
1120c1107
<       {
---
>       {
1424c1411
<                       {
---
>                       { 
1439c1426
<                       {
---
>                       { 
1463a1451,1476
> 
>                         $sFurl_match = array();
> 
>                         if(preg_match("#^/forums/topic(d+).html(?:&|?)*(.*)#i", $_SERVER['REQUEST_URI'], $sFurl_match)) {
> 
>                                 $url = '/forums/index.php?showtopic='.$sFurl_match[1];
> 
>                                 if(!empty($sFurl_match[2]))
>                                         $url .= '&'.$sFurl_match[2];
> 
>                                 $_SERVER['REQUEST_URI'] = $url;
>                                 $_REQUEST['showtopic'] = $sFurl_match[1];
> 
>                         }
> 
>                         if(preg_match("#^/forums/forum(d+).html(?:&|?)*(.*)#i", $_SERVER['REQUEST_URI'], $sFurl_match)) {
> 
>                                 $url = '/forums/index.php?showforum='.$sFurl_match[1];
> 
>                                 if(!empty($sFurl_match[2]))
>                                         $url .= '&'.$sFurl_match[2];
> 
>                                 $_SERVER['REQUEST_URI'] = $url;
>                                 $_REQUEST['showforum'] = $sFurl_match[1];
>                         }
> 
1491c1504
<                       {
---
>                       { 
1631c1644
<                                       if( preg_match( "#(.+?)/" . preg_quote( IPS_PUBLIC_SCRIPT ) . "#", $_404Check, $matches ) AND ! @is_file( DOC_IPS_ROOT_PATH . preg_replace( '/(.+?)?.+/', '$1', $_404Check ) ) )
---
>                                       if( preg_match( "#(.+?)/" . preg_quote( IPS_PUBLIC_SCRIPT ) . "#", $_404Check, $matches ) AND !is_file( DOC_IPS_ROOT_PATH . preg_replace( '/(.+?)?.+/', '$1', $_404Check ) ) )
1666c1679
<                               {
---
>                               { 
1782c1795
<               {
---
>               { 
1785c1798
<                       {
---
>                       { 
1787c1800
<                               {
---
>                               { 
1814c1827
<                                       {
---
>                                       { 
2188c2201
<               # Define cache path
---
>               # Define cache path 
2764c2777
<       {
---
>       {  
3025c3038
<                       // Add caches to the load list
---
>                       // Add caches to the load list 
3337c3350
<        * @param       boolean Set to FALSE to skip trying to load the caches from DB [if not loaded already]
---
>        * @param       boolean Set to FALSE to skip trying to load the caches from DB [if not loaded already] 
3577c3590
<        *
---
>        * 
3923c3936
<                               ipsRegistry::setClass( 'isMobileApp', new $classToLoad() );
---
>                               ipsRegistry::setClass( 'isMobileApp', new $classToLoad() );
3930c3943
<        *
---
>        * 
4284c4297
<                                                                                       {
---
>                                                                                       {
4641c4654
<        * Engines we check for
---
>        * Engines we check for 
4654c4667
<        *
---
>        * 
4768c4781
< }
 No newline at end of file
---
> }
This is the diff for composite.php for 3.4.5 and the patch:


6c6
<  * IP.Board vVERSION_NUMBER
---
>  * IP.Board v3.4.5
8c8
<  * Last Updated: $Date: 2013-12-02 16:21:35 +0000 (Mon, 02 Dec 2013) $
---
>  * Last Updated: $Date: 2013-09-18 16:02:39 +0100 (Wed, 18 Sep 2013) $
17c17
<  * @version           $Revision: 12421 $
---
>  * @version           $Revision: 12364 $
28c28
<  *
---
>  * 
32c32
<  *
---
>  * 
36c36
<  *
---
>  * 
40c40
<  *
---
>  * 
43,46c43,46
<  *
<  *
<  *
<  *
---
>  * 
>  * 
>  * 
>  * 
51c51
<  *
---
>  * 
137c137
<       */
---
>       */
616c616
<                                                               else
---
>                                                               else 
787c787
<                       {
---
>                       { 
975c975
<        * @param array $where options member_id = x , app = x, time = x
---
>        * @param array $where options member_id = x , app = x, time = x 
1078c1078,1080
<               $content = preg_replace( '#<as+?([^>|data-ipb='nomediaparse']*?)href=["']([^"']+?)?["']([^>]*?)?>(.+?)</a>#is', "<a data-ipb='nomediaparse' $1href='$2'$3>$4</a>" , $content );
---
>               $content        = preg_replace( '#<as+?([^>]*?)href=["']([^"']+?)?["']([^>]*?)?>(.+?)</a>#is', "<a data-ipb='nomediaparse' $1href='$2'$3>$4</a>" , $content );
> 
>               //print htmlspecialchars($content);exit;
1184c1186
<               preg_match_all( '#<img src=(['"])([^1]+?)(?:1)([^>]+?)?>#i', $content, $matches, PREG_SET_ORDER );
---
>               preg_match_all( '#<img src=['"]([^'"]+?)['"]([^>]+?)?>#i', $content, $matches, PREG_SET_ORDER );
1189,1191c1191,1193
<                       $src     = $val[2];
<                       $rest    = $val[3];
< 
---
>                       $src     = $val[1];
>                       $rest    = $val[2];
> 
1194c1196
<                               $content = str_replace( $all, '<img src="http://' . str_replace( "'", '%27', $src ) . '"' . $rest . '>', $content );
---
>                               $content = str_replace( $all, '<img src="http://' . $src . '"' . $rest . '>', $content );
1620c1622
<                               /* IMG, A */
---
>                               /* IMG, A */
1723c1725
<       {
---
>       {
1869c1871
<                               }
---
>                               }
Link to comment
Share on other sites

I have the patch applied on 3.4.5 and haven't noticed any obvious problems. I'm not sure if I should be expecting them, but I'll be sure to upgrade to 3.4.6 soon regardless. I have some core code modifications I have to backup and re-apply is the only real reason I haven't upgraded yet.

Link to comment
Share on other sites

I am really wondering why this fix is only mentioned in the forum.

I am always online in my forum and most times ones a day in my admin section.

There I can read about black fridays, cyber mondays and all this kind of promotion, but I can't find any hint about:

YOU ARE USING A VERSION WHICH IS UNSECURE - PLEASE PATCH

I also have to confirm that this is something which should be pointed out better:

If you're running 3.4.4 (and probably anything before), do not apply the security fix yet. The ipsRegistry.php file will break your navigation menu because it references variables that don't exist in older versions.

It wasn't my problem, but I saw this also only after I patched my forum.

Link to comment
Share on other sites

I am really wondering why this fix is only mentioned in the forum.

I am always online in my forum and most times ones a day in my admin section.

There I can read about black fridays, cyber mondays and all this kind of promotion, but I can't find any hint about:

YOU ARE USING A VERSION WHICH IS UNSECURE - PLEASE PATCH

The security notice is displaying fine for me in my ACP, are you sure it's not showing for you?

post-260850-0-15545700-1386970861_thumb.

(Note: It should display regardless of if you've applied the patch or not.)

Link to comment
Share on other sites

I think it's unreasonable to expect security patches for minor versions. It would add an enormous overhead. The model IPS use is, I believe, also used by other major software developers like, say, Mozilla. I do not get security updates to FF unless I update. I keep my forums on the current release as a matter of course for exactly this reason.

I would like to ask for some clarification though;

If you are an IPS Community in the Cloud customer running IP.Board 3.3 or above, no further action is necessary; we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade.

What happens if I am on a hosted account running < 3.4.6 on the 3.4.X series? As I read the above, the patch does not work with 3.4.4. I may not have updated. What happens to my hosted forum in that situation? (it hasn't happened to me, but I would like to know for future reference)

Thanks

Link to comment
Share on other sites

The problem is when the patch is labeled 3.4.x , it breaks stuff in 3.4.4 and this is not explicitly stated.

I don't mind security patches being released only for the latest minor version, I choose not to update, I'll take my risks. But, please IPS, make it so that there is 0 ambiguity next time: "This patch is for version 3.4.6, it might break stuff in earlier versions" - how hard can it be?

Link to comment
Share on other sites

I think it's unreasonable to expect security patches for minor versions. It would add an enormous overhead. The model IPS use is, I believe, also used by other major software developers like, say, Mozilla. I do not get security updates to FF unless I update. I keep my forums on the current release as a matter of course for exactly this reason.


I think its unreasonable to compare the upgrade process for IPB to Firefox. For many sites "simply upgrading" is not a simple process.
Link to comment
Share on other sites

I think its unreasonable to compare the upgrade process for IPB to Firefox. For many sites "simply upgrading" is not a simple process.

It's as simple or as complicated as you make it. I make sure it is very easy.

The problem is when the patch is labeled 3.4.x , it breaks stuff in 3.4.4 and this is not explicitly stated.

I don't mind security patches being released only for the latest minor version, I choose not to update, I'll take my risks. But, please IPS, make it so that there is 0 ambiguity next time: "This patch is for version 3.4.6, it might break stuff in earlier versions" - how hard can it be?

I agree with this - it should be clearer.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...