Jump to content

Invision Community Blog


Managing successful online communities


IP.Board 3.3.x, 3.4.x and IP.Nexus 1.5.9 Security Update

08-07-2015

We are releasing a patch for IP.Board 3.3.x and 3.4.x to address a potential cross-site scripting (XSS) issue, and we are releasing a patch for IP.Nexus 1.5.9 to address an issue where license keys may be exposed to unauthorized users. The IP.Nexus patch also includes an updated SagePay payment gateway, required for all users that use Sagepay integration as of July 31, 2015, as well as an update to the Stripe payment gateway to use their "v2" javascript integration.

It has been brought to our attention that specifically crafted files uploaded as attachments to IP.Board may allow for javascript to execute.  It has also been brought to our attention that specifically crafted URLs may allow for exposure of license keys otherwise kept private throughout IP.Nexus.


To apply the patch
Simply download the attached zip for your IP.Board version and upload the files to your forum server.

 

IP.Nexus 1.5.x:

nexus_patch_08072015.zip

 

IP.Board 3.4.x:

board34x_patch_08072015.zip

 

IP.Board 3.3.x:

board33x_patch_08072015.zip


If you are an IPS Community in the Cloud client running IP.Board 3.3 or above, no further action is necessary as we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade.

If you install or upgrade to IP.Board 3.4.8 or IP.Nexus 1.5.9 after the date and time of this post, no further action is necessary as we have already updated the main download zips.

 

We would like to thank ESET for reporting the IP.Board XSS issue to us, and we would like to thank user "vekmor" for reporting the IP.Nexus license key exposure issue to us.

Comments

Recommended Comments

I downloaded the board34x_patch_08072015.zip  for my 3.4.8 version board

extracted the zip to a local drive on my box which turned out to be just single .js file.

I replaced the .js file of the same name in my public\js directory.

What makes the notification on my ADMIINCP system tab go away?

Still says I need a security patch when I first login to Admin CP.

thx

 

Link to comment
Share on other sites

I downloaded the board34x_patch_08072015.zip  for my 3.4.8 version board

extracted the zip to a local drive on my box which turned out to be just single .js file.

I replaced the .js file of the same name in my public\js directory.

What makes the notification on my ADMIINCP system tab go away?

Still says I need a security patch when I first login to Admin CP.

thx

 

IPB controls how long it stays there, they do this to make sure no one misses the message. It usually only stay showing for a week or two.

Link to comment
Share on other sites

Never Upgrade This ....!

Did you have problems when applying these patches? If so, you'll need to elaborate on them, or preferably submit a ticket. Otherwise, no one can help you.

Security patches are not an optional thing you can just ignore.

Link to comment
Share on other sites

I will ignore This Patch, ... as well !

How can I disable these annoying announcements ...?

That would be a very unwise move on your part to ignore security patches, since you're leaving your forum open to potentially being compromised in the future.

But you can't disable the announcements.

Link to comment
Share on other sites
12 minutes ago, Makoto said:

Yes, you merge and overwrite everything.

Looks like I missed several updates, do I have find and download them idividually? I see a 3.4.8 updater in my client area, does that include all patches or no.

Edited by PixlBendr
Link to comment
Share on other sites

I compared the latest patch board34x_patch_08072015.zip with the update 3.4.8 http://prntscr.com/8ib2n6 and 3.4.8 does not contain the files present in the patch; which means it doesn't contain all the updates.

also the latter updates are smaller in size than some of the preceding ones, which means, later patches do not contain previous ones matryoshka style. Each patch carries its own unique payload.

I am glad I test everything out on localhost first.

Edited by PixlBendr
Link to comment
Share on other sites

Can someone please answer me this, do I merge OR overwrite the FTP prompts.  Last answer I got here was (yes merge and overwrite.. wow) seriously?

Merging and overwriting are drastically different moves and have different results. When i try to upload folders FTP client (Forklift) is asking me to Merge OR Overwrite them. It depends on how the patch files are prepared (inclusive of all files + ones with changes; or exclusive - including only changes) Only developers know that and whoever put the files up.  

There are hundreds of files I cant go through directory manually and update one by one files in respective directories. 

Edited by PixlBendr
Link to comment
Share on other sites
13 hours ago, PixlBendr said:

Can someone please answer me this, do I merge OR overwrite the FTP prompts.  Last answer I got here was (yes merge and overwrite.. wow) seriously?

If you get the question from your FTP client on a folder, you choose to merge with existing folders. When/if you then get the question on a file, you choose to overwrite existing files. That's what was meant by merge and overwrite. Because you want to merge folders (so no existing files that is not within your patch folder (but is within the selected folder on the server) gets deleted). You usually only get the merge option if it's about a folder. As merging an already existing file with a new file with the same name would not be an sensible option for an FTP client.

Some FTP-clients will provide the option of "Merge and overwrite" right away, which means it will merge folders and overwrite files. 

 

Edited by TSP
Link to comment
Share on other sites


Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy

×