Jim M

They won’t install unless you actively click to install them in the admin cp

You would need to install them by uploading the files to your server and then going to ACP -> System -> Applications to run the installer. The guide below is regarding the previous license terms where you could purchase individual ones but the process is still the same to install them.
 

As of today, there are not any plans to make PHP 8.2 or higher compatible with Invision Community version 4. However, like many things in the software world, this is written in pencil so could change as we progress through the end of version 4's lifetime.

While I get what you're saying here, it is not intended to how we built the system. It is intended to only count answers, rather than voters. However, it still does provide you the voters next to the answers if you want to do your own calculations.
If you would like to see this changed, you're more than welcome to submitting a topic in our Feedback forum for further information.

I've moved this to a ticket so we can look further into this to see what we can do for you here. Please watch your email for further correspondence.

IPS has literally thousands of customers ranging from international brands to small hobby sites.  If this was a big hole in the software that happened in the March update, there would be a huge flood of customers suddenly posting about it. 
Let me turn that back around on you… Why do you think it’s a problem with the software suddenly when there has not been a change in others having a similar issue?  And in looking at the change notes, nothing in it would impact what you are reporting. 

You are blaming the software update because this happened afterwards but that can simply be causality. Just because something happened around that time does not mean it is what caused the situation.  

Also let’s think about this for a moment… if a spammer could just take over any account on your site, why would they not target important accounts?  Why not target admin or moderators?  They could mass change content and do significantly more “damage” that way. They would also be able to bypass any sort of restrictions such as post approval or content moderation.  They dont have access to specific or exact members. They’ve either gotten a credential from somewhere else or they registered the account themselves a while back and working back to using it now. 

Ummm I hope you realize IPS does this already as part of its software release process. This includes dynamic and static code scanning.  IPS also has its software reviewed on a regular basis by 3rd party security companies. 

In addition the software is used by MANY large corporate customers who do their own independent testing in order to use it in their environment. 

So sitting here stomping your feet and simply saying it’s some random problem “somewhere” in the software is simply shows that you are uninformed.  There have been recommendations provided on how to improve blocking spam including using hCaptcha (where you can also increase its difficulty), requiring your users to use 2FA, and others.  Spam is a problem EVERYWHERE on the internet and is a cat/mouse game.  If someone has an account somewhere else compromised and uses the same credentials on your site, that is NOT a problem in the software. It’s a user problem for being stupid and using a credential in multiple places. That’s why it’s important to use things like 2FA to prevent a malicious actor from getting a password from somewhere else.
By the way… did you know most large banks despite having FANTASTIC cyber security have on average over 3000 compromised accounts a month?  Thats despite spending hundreds of millions of dollars a month on security tools that small site owners can only dream about. If this is a challenge for them with literally dozens to hundreds of dedicated cyber security experts and budgets in the millions of dollars… how realistic is it for “the rest of us”?  

Thank you. I have reported what you mentioned here to our developers. However, I am unable to reproduce the exact error which has been originally reported. Therefore, we cannot guarantee this will resolve the OPs issue without access to their instance.

Sure. 
First, create an image attachment in the editor by choosing the file from your hard drive. then click on it, so the image is added to the post content. Then double-click on the image. In the dialog box, replace the content of the URL field with your target URL.   

Keep in mind that the biggest hole in any authentication/identity system is the human using it. Odds are that if that user setup several accounts around the internet with the same credentials, their email is more than likely also to be one of those. Your solution may solve the issue in some cases but odds are likely not in its favor. As the attacker, likely has access to their email as well.
Which is why using a non-email source, like a Two Factor Authentication code generation with a cell phone app, is generally more secure. As an attacker obtaining access to that 2FA source is harder.
The best case, would have been requiring it from the start of any community. That’s not always possible but the good news, you can require 2FA starting today and any new members or members who login will have it implemented.
You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users.
However, if you feel strongly about the code generating link to an email to login, you’re more than welcome to suggest that in our Feedback forum for further evaluation. 

ACP > Members > Force password reset

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?
There isn't any way in which to actually get password from the database (for example, even from the database, I couldn't tell you what your password is). So if someone is sending you usernames and passwords that are genuine, its very likely they have gotten it from another source. We often find that users using the same password across multiple platforms are the ones that get targeted. 
Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 
If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

This should be fixed now.

I'm afraid, this is not a security issue. However, it is a case of spammers trying to sneak under the radar and access counts they've setup in the past.. Keep in mind that a spammer can reset a password to an account if they have access to the email address tied to the account.
 

You will want to do the following Spam Prevention items mentioned in this guide: https://invisioncommunity.com/4guides/security-and-rules/spam-prevention-r9/
Looking at your registration form, you are still using CAPTCHA2. You will want to switch to hCAPTCHA to prevent more automated spam bots.
Check that your Spam Defense is configured correctly for our services in ACP -> Members -> Spam Prevention.
Configure the Flag as Spammer option to be used by you and your administrator/moderator teams to quickly remove spam posts and ban spammers.
You will also want to rotate your Question and Answer challenges frequently and ensure that they are things which you are target audience knows but is not easily Googled. This will prevent spam human users from registering.
If you are seeing spammers from a certain country that your community does not serve, you can also block them in ACP -> Members -> Spam Prevention -> Geolocation Settings.
Finally, if you believe spammers are gaining access to accounts through means of exposed credentials from the dark web. Enabling and requiring Two Factor Authentication will help prevent that.
Outside of the items mentioned above, the next steps would be to take moderation action. Require your base member group to have 1 or more posts approved by a moderator prior to them showing up to the rest of your community without being moderated. Use the automated moderation tools so that if a post is reported x times as spam, the system will automatically hide it for your team to review.
If any spammers do get through, be sure to use the Flag as Spammer option as that will report it to our system and help your fellow administrators.
I will say that no 1 spam prevention method will be 100%. However, hopefully, with all the above, it should cut enough down that you are able to not just wake up to a bunch of spam posts that plague your community. If you deploy the moderation techniques, you will not have your community publicly plagued by spammers.
Unfortunately, in the event that a spammer has dormant account(s) on your site and they have already surpassed an acceptable amount of posts (I say acceptable as some may be borderline that your moderation team may still allow) to bypass the moderation queue, the only thing that will help are successful moderation practices by humans and staying vigilant about the future with the above.

You will want to do the following Spam Prevention items mentioned in this guide: https://invisioncommunity.com/4guides/security-and-rules/spam-prevention-r9/
Looking at your registration form, you are still using CAPTCHA2. You will want to switch to hCAPTCHA to prevent more automated spam bots.
Check that your Spam Defense is configured correctly for our services in ACP -> Members -> Spam Prevention.
Configure the Flag as Spammer option to be used by you and your administrator/moderator teams to quickly remove spam posts and ban spammers.
You will also want to rotate your Question and Answer challenges frequently and ensure that they are things which you are target audience knows but is not easily Googled. This will prevent spam human users from registering.
If you are seeing spammers from a certain country that your community does not serve, you can also block them in ACP -> Members -> Spam Prevention -> Geolocation Settings.
Finally, if you believe spammers are gaining access to accounts through means of exposed credentials from the dark web. Enabling and requiring Two Factor Authentication will help prevent that.
Outside of the items mentioned above, the next steps would be to take moderation action. Require your base member group to have 1 or more posts approved by a moderator prior to them showing up to the rest of your community without being moderated. Use the automated moderation tools so that if a post is reported x times as spam, the system will automatically hide it for your team to review.
If any spammers do get through, be sure to use the Flag as Spammer option as that will report it to our system and help your fellow administrators.
I will say that no 1 spam prevention method will be 100%. However, hopefully, with all the above, it should cut enough down that you are able to not just wake up to a bunch of spam posts that plague your community. If you deploy the moderation techniques, you will not have your community publicly plagued by spammers.
Unfortunately, in the event that a spammer has dormant account(s) on your site and they have already surpassed an acceptable amount of posts (I say acceptable as some may be borderline that your moderation team may still allow) to bypass the moderation queue, the only thing that will help are successful moderation practices by humans and staying vigilant about the future with the above.

I don't believe this is something which we provide and if one is not provided, typically the email service would cover that. Like in an example I just sent through Amazon SES, SES provided the Message-ID header for me as I did not supply it. I have tagged this to a developer to confirm.

It’s a browser issue. I see it frequently with Safari. There isn’t anything in the community software that can have any effect on it. The software just creates HTML to say where the image is and it is up to the browser to download it and deal with caching, download order, connection issues and so on. 

Most likely - on their site, the Pro account advertises that they have blocking / challenging of automated traffic. In most cases, this is simply detecting that the request is coming from an IP from a data center and not an actual ISP (I should know, our corporate VPN gets hit by this all. the. time.).

This would definitely be something server side and / or associated with other software on the server for a few reasons.
While we do use a custom session handler, we use the proper session_set_save_handler and related functions, rather than ini_set. The only usage of ini_set throughout the software is during an automatic Admin CP upgrade to disable errors, which is a fairly typical use case - and if it fails, the error is suppressed and ignored. This is the case for both 4.16.12.1 as well as the current version. Based on the error itself, it looks like there may be a configuration issue somewhere in php.ini, or in a .htaccess file that is present on the server, attempting to set that directive (which is incorrect in itself - the directive is session.save_handler instead, though that could be as simple as the server interpreting the dot as an underscore in the error).

CloudFlare Pro has managed firewall rules and improved bot filtering. You would need to review it. I'm afraid, it is outside our scope of support so you would need to contact CloudFlare if you have any questions.

I would take note of what I edited here as well. The author would need to state compatibility. 

As you have a custom theme and third-party applications/plugins which interact with code surrounding this, I would recommend starting by ensuring these are compatible with the release you're on. 

No. There is no “other admin confirmation”. They are either an admin or they’re not. 

If you want to review actions they’ve taken, there is both moderator and admin logs available to show what actions have been performed by others. 

My suggestion would be to give it full permission.  If IPB is kept in its own database with nothing else in it, there is no risk to it having full permission.  It should not be interfering with other applications.
Restricting permissions only can lead to problems later when it potentially can't do something it needs later and you think the software itself is broken when it's instead just a platform configuration on your side.  A few months down the road, you're never going to remember this and it will be a big mess and waste of time figuring out how to fix the issue when it could be avoided in the first place.  
You're not really increasing the security of anything as long as you keep IPB in its own DB without other applications installed in it.