Jump to content
bfarber
 Share


IP.Board 3.3.x, 3.4.x Security Update

04-30-2015

We are releasing a patch for IP.Board 3.3.x and 3.4.x to address three cross-site scripting (XSS) issues.

It has been brought to our attention that specifically crafted URLs may allow an attacker to adjust another user's ignored user preferences and private message options.


To apply the patch
Simply download the attached zip for your IP.Board version and upload the files to your forum server.

 

IP.Board 3.4.x:

patch_34x_04272015.zip 

 

IP.Board 3.3.x:

patch_33x_04272015.zip


If you are an IPS Community in the Cloud client running IP.Board 3.3 or above, no further action is necessary as we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade.

If you install or upgrade to IP.Board 3.4.7 after the date and time of this post, no further action is necessary as we have already updated the main download zips.

 

We would like to thank rack911labs.com for bringing the private message to our attention.

 

 Share

Comments

Recommended Comments

Why the red alert stay on my index ACP?

​The alert appears completely independent from whether or not the bug exists in that installation or not. It will disappear after a while though. 

Link to comment
Share on other sites

​The alert appears completely independent from whether or not the bug exists in that installation or not. It will disappear after a while though. 

​Thanks for reply ;)

Link to comment
Share on other sites

I've got the same bug in PMs (in 3.3.4) when previewing them as originally happened with this security update: http://community.invisionpower.com/blogs/entry/9720-ipboard-33x-34x-security-update/ - if you preview your PM, it enters HTML code everywhere even if you don't have HTML enabled. I believe the bug was due to something in the /admin/applications/members/modules_public/messaging/send.php file which was fixed in an updated patch at that time.

Link to comment
Share on other sites

Well we have a update anyway :D
 

A new update is available!


4.0.3 - 1 May 2015
Many bugs fixed both from tickets and bug tracker. A focus on ticket-related issues.
Many performance improvements. More will come in next release but you should see a difference.
The support tool in the AdminCP will now do MD5 checksum on all PHP files on the system. This allows the system to detect any modified PHP files which is useful both for support and for security. The master checksum values are fetched remotely from IPS to ensure the list is not tampered with locally.

 

Link to comment
Share on other sites

In the original announcement:


If you are an IPS Community in the Cloud client running IP.Board 3.4 or above, no further action is necessary as we have already automatically patched your account. If you are using a version older than IP.Board 3.4, you should contact support to upgrade.

Should that read IP.Board 3.3 or above? Just wanted to make sure that 3.3.x clients in the IPS cloud are still being updated.

Thanks.

Link to comment
Share on other sites

  • Management

In the original announcement:


If you are an IPS Community in the Cloud client running IP.Board 3.4 or above, no further action is necessary as we have already automatically patched your account. If you are using a version older than IP.Board 3.4, you should contact support to upgrade.

Should that read IP.Board 3.3 or above? Just wanted to make sure that 3.3.x clients in the IPS cloud are still being updated.

Thanks.

​Yes, that was a mistake. We patch 3.3 as well currently. I've updated the entry.

Link to comment
Share on other sites

file - admin/sources/classes/member/photo.php
System - ipb 3.4.8
​nginx 1.8 +php-fpm 5.4

in old version

$html = $this->registry->getClass('output')->getTemplate('profile')->photoEditor( $data, $member );
return preg_replace( '#<form(.+?)action="([^"]+?)"\s+?id=\'photoEditorForm\'#', '<form\1action="\2&amp;secure_key=' . $this->member->form_hash . '" id=\'photoEditorForm\'', $html ); 

in new version

return $this->registry->getClass('output')->getTemplate('profile')->photoEditor( $data, $member );

stops working loading avatar

Link to comment
Share on other sites

Users can no longer upload avatars on my forum as a result of this update.  I have verified this behavior myself.  Using an URL works fine, but when you select an image to upload, nothing happens after that and the avatar is not changed. 

Can you please fix this, Invision?

Link to comment
Share on other sites

Users can no longer upload avatars on my forum as a result of this update.  I have verified this behavior myself.  Using an URL works fine, but when you select an image to upload, nothing happens after that and the avatar is not changed.

Can you please fix this, Invision?

​Upgrade to 3.4.8.

 

Link to comment
Share on other sites

That is not an option for me at the moment, as it's a rather large undertaking that I have to spend a significant amount of time on.  I'd just like to have this one feature fixed, since it's directly impacting my users.  

Link to comment
Share on other sites

That is not an option for me at the moment, as it's a rather large undertaking that I have to spend a significant amount of time on.  I'd just like to have this one feature fixed, since it's directly impacting my users.

​3.4.8 is the fix you need. The fix involves a template change, which is why the upgrader needs to run.

Link to comment
Share on other sites

​3.4.8 is the fix you need. The fix involves a template change, which is why the upgrader needs to run.

tell me please the name of the template. my custom template for photoEditor coincides with the standard temlate.

Link to comment
Share on other sites

Can we get a list of changes/fixes in 3.4.8 ? 

Mentions security, has there been more security fixes in 3.4.8 that we don't have in 3.4.7 I'm wondering how important this update is ? 

Thanks 

Link to comment
Share on other sites

Can we get a list of changes/fixes in 3.4.8 ? 

Mentions security, has there been more security fixes in 3.4.8 that we don't have in 3.4.7 I'm wondering how important this update is ? 

Thanks 

​I second this. 

Is it safe staying at 3.4.7?

Link to comment
Share on other sites



Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...