Jump to content

Invision Community Blog


Managing successful online communities

IPS News
Sign in to follow this  
 

IP.Board 3.3.x, 3.4.x Security Update

We are releasing patches for IP.Board 3.3.x and IP.Board 3.4.x to address a security issue recently reported to us.
 
It has been brought to our attention that a cross-site scripting issue exists within the messenger in IP.Board.  We are releasing a patch today that addresses this issue.
 

3.4.7:   patch12_5_2014.zip

 

3.3.4:  patch12_5_2014 - 3.3.x.zip

 

We would like to thank Matthias Ungethüm (http://www.unnex.de) for reporting this issue to us.     

Sign in to follow this  

Comments



Recommended Comments

This does not appear to work for 3.3.3 or 3.3.4.

 

PHP Fatal error:  Call to undefined method classes_editor_composite::setLegacyMode() in admin/applications/forums/sources/classes/post/classPost.php on line 234

Edited by Alexia Smith

Share this comment


Link to comment
Share on other sites

Some issues with the new classPost.php and classPostForms.php on IPB 3.3.4. I get white pages and are not able to post.

I compared the files and just applied some fixes I felt necessary. Most webservers also check for exploits and XSS when making use of mod_security, Suhosin and other security additions.

Share this comment


Link to comment
Share on other sites

I can confirm this as well. The 3.3.x patch to our 3.3.4 forum installs (all of them) caused them to completely halt during any topic post operations.

IPB: Please send out a NEW announcement email to all clients when you FIX the 3.3.x security update. Thanks.

Share this comment


Link to comment
Share on other sites

Our apologies for the inconvenience.

The patch for 3.3 does appear to have an issue and we are investigating that now.

Please do not use the 3.3 patch until an update is posted.

The patch for v3.4.x is working properly.

Share this comment


Link to comment
Share on other sites

When these patches come out I just create a copy (tar) file of my admin directory, just in case, and then extract the patch and then test.

This patch works fine with 3.4.7 as I've just tested, but is intended for any 3.4.x as with other patches IPS have produced in the past.

Share this comment


Link to comment
Share on other sites

@m714 - just download patch, unzip it and using any ftp client (like Filezilla) upload "admin" folder to public_html directory on your FTP. If you have your forum installed in different directory, upload it to main directory. FTP client should ask if you want to overwrite 5 files - choose yes and that's it.

Share this comment


Link to comment
Share on other sites

Please help me, how to install this patch (3.4.7)? What I need to do?

Thank you.

​If you haven't changed your admin folder simply upload the new admin folder and allow it to overwrite all the existing files to the new ones that you are uploading.

Share this comment


Link to comment
Share on other sites

The main entry has been updated for IP.Board 3.3.x installations. My apologies for the inconvenience.

Mark,

Can you PLEASE answer whether the 3.4.x patch works for 3.4.5?? 

Thank you.

​While I can't see or think of any particular reason as to why the patch will not work on 3.4.5, keep in mind that it is built against the latest version in the branch. Our general recommendation is that if you are running less than 3.4.7, then you should upgrade.

Share this comment


Link to comment
Share on other sites

​While I can't see or think of any particular reason as to why the patch will not work on 3.4.5, keep in mind that it is built against the latest version in the branch. Our general recommendation is that if you are running less than 3.4.7, then you should upgrade.

​Previous patches have been marked as for "3.4.x" and I've installed them without problems.  This is the first one I've seen explicitly marked for 3.4.7 (or previously, 3.4.6), which is why I asked the question.  Unfortunately, upgrading to 3.4.7 is quite a time consuming progress, as I have a forum with over three million posts, several custom skins, several hooks and applications installed, and several code modifications.  It is not something I can even contemplating doing at the moment..  

 ..Al

Share this comment


Link to comment
Share on other sites

Installed it on 3.4.5, and so far so good. But maybe it's too soon to observe any secondary effects. If it doubt keep copies of the files you're going to replace.

​Thanks, appreciate the information. 

 ..Al

Share this comment


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...