Jump to content

Invision Community Blog


Managing successful online communities


IP.Board 3.3.x, 3.4.x Security Update

We are releasing patches for IP.Board 3.3.x and IP.Board 3.4.x to address a security issue recently reported to us.
 
It has been brought to our attention that a cross-site scripting issue exists within the messenger in IP.Board.  We are releasing a patch today that addresses this issue.
 

3.4.7:   patch12_5_2014.zip

 

3.3.4:  patch12_5_2014 - 3.3.x.zip

 

We would like to thank Matthias Ungethüm (http://www.unnex.de) for reporting this issue to us.     

Comments

Recommended Comments



This does not appear to work for 3.3.3 or 3.3.4.

 

PHP Fatal error:  Call to undefined method classes_editor_composite::setLegacyMode() in admin/applications/forums/sources/classes/post/classPost.php on line 234

Edited by Alexia Smith
Link to comment
Share on other sites

Some issues with the new classPost.php and classPostForms.php on IPB 3.3.4. I get white pages and are not able to post.

I compared the files and just applied some fixes I felt necessary. Most webservers also check for exploits and XSS when making use of mod_security, Suhosin and other security additions.

Link to comment
Share on other sites

I can confirm this as well. The 3.3.x patch to our 3.3.4 forum installs (all of them) caused them to completely halt during any topic post operations.

IPB: Please send out a NEW announcement email to all clients when you FIX the 3.3.x security update. Thanks.

Link to comment
Share on other sites

When these patches come out I just create a copy (tar) file of my admin directory, just in case, and then extract the patch and then test.

This patch works fine with 3.4.7 as I've just tested, but is intended for any 3.4.x as with other patches IPS have produced in the past.

Link to comment
Share on other sites

@m714 - just download patch, unzip it and using any ftp client (like Filezilla) upload "admin" folder to public_html directory on your FTP. If you have your forum installed in different directory, upload it to main directory. FTP client should ask if you want to overwrite 5 files - choose yes and that's it.

Link to comment
Share on other sites

The main entry has been updated for IP.Board 3.3.x installations. My apologies for the inconvenience.

Mark,

Can you PLEASE answer whether the 3.4.x patch works for 3.4.5?? 

Thank you.

​While I can't see or think of any particular reason as to why the patch will not work on 3.4.5, keep in mind that it is built against the latest version in the branch. Our general recommendation is that if you are running less than 3.4.7, then you should upgrade.

Link to comment
Share on other sites

​While I can't see or think of any particular reason as to why the patch will not work on 3.4.5, keep in mind that it is built against the latest version in the branch. Our general recommendation is that if you are running less than 3.4.7, then you should upgrade.

​Previous patches have been marked as for "3.4.x" and I've installed them without problems.  This is the first one I've seen explicitly marked for 3.4.7 (or previously, 3.4.6), which is why I asked the question.  Unfortunately, upgrading to 3.4.7 is quite a time consuming progress, as I have a forum with over three million posts, several custom skins, several hooks and applications installed, and several code modifications.  It is not something I can even contemplating doing at the moment..  

 ..Al

Link to comment
Share on other sites



Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy

×