Invision Power Services > IPB Security Update (10 May 2005)

Matt

May 10 2005, 08:53 AM

It seems like it's hunting season for IPB.

As much as it's a pain to have to keep releasing updates, it'd be even worse to not release them.

The announcement is here: http://forums.invisionpower.com/index.php?showtopic=169215

Here are the affected files for IPB 2.0.x

Nimdock

May 10 2005, 08:57 AM

QUOTE(Matt @ May 10 2005, 04:53 AM)

As much as it's a pain to have to keep releasing updates, it'd be even worse to not release them.

Exactly right. Thanks.

It is better to know something is being done as soon as these things are discovered than not to do anything just because some users don't want to upgrade or because it would mean IPB has security issues.

Again, thank you.

Dannyarr

May 10 2005, 09:01 AM

Thanks Matt!

Stuart Elliott

May 10 2005, 09:03 AM

Thanks Matt.

.Nuke

May 10 2005, 09:09 AM

Yep thanks, i like updates/bug fixes

picard

May 10 2005, 09:59 AM

Thanks Matt.

Artvision

May 10 2005, 10:02 AM

Thank you, Matt! Good to know our boards are well protected.

.Logan

May 10 2005, 10:19 AM

Matt,
Are you still considering the security audit for IPB? If you do get it, I think you should finish IPB 2.1.0 final completely, and before you release it to customers have it audited first.

.Nuke

May 10 2005, 10:28 AM

QUOTE(.Logan @ May 10 2005, 12:19 PM)

Matt,
Are you still considering the security audit for IPB? If you do get it, I think you should finish IPB 2.1.0 final completely, and before you release it to customers have it audited first.

If you ask me i will say it is up to the singel user if the wan to test the 2.1 or not, if they wanna be secure stay with 2.0.4 but if they test 2.1 the are not securet...

Just my 5 cent

.Logan

May 10 2005, 10:31 AM

I don't think you understood what I asked, Nukeman.

.Nuke

May 10 2005, 10:35 AM

QUOTE(.Logan @ May 10 2005, 12:31 PM)

I don't think you understood what I asked, Nukeman.

:- I were a bit to quick

mikey2

May 10 2005, 10:56 AM

thanks for the update, get back to work on 2.1! :whip:

^AuRoN^

May 10 2005, 11:02 AM

Thanks Matt.

riv

May 10 2005, 11:24 AM

QUOTE(Matt @ May 10 2005, 04:53 AM)

It seems like it's hunting season for IPB.

As much as it's a pain to have to keep releasing updates, it'd be even worse to not release them.

The announcement is here: http://forums.invisionpower.com/index.php?showtopic=169215

Here are the affected files for IPB 2.0.x

Matt, after I uploaded those two files no one could post or PM.
I'm running v2.0.4

.Nuke

May 10 2005, 11:56 AM

QUOTE(riv @ May 10 2005, 01:24 PM)

Matt, after I uploaded those two files no one could post or PM.
I'm running v2.0.4

I don't got that problem, have you uploadet correct ?

Matt

May 10 2005, 12:01 PM

Do you get an error of anykind?

I checked the fixes before releasing them as I have a separate IPB 2.0.4 test board.

riv

May 10 2005, 01:04 PM

QUOTE(Matt @ May 10 2005, 08:01 AM)

Do you get an error of anykind?

I checked the fixes before releasing them as I have a separate IPB 2.0.4 test board.

Parse error: parse error, unexpected $, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /............./public_html/forums/sources/post.php on line 2115

Will L.

May 10 2005, 01:09 PM

whats on 2115 Line #

muks

May 10 2005, 01:13 PM

thanks for constantly fixing the security issues

--------------------

Will L.

May 10 2005, 01:16 PM

QUOTE(muks @ May 10 2005, 09:13 AM)

thanks for constantly fixing the security issues

i feel more secure knowing Matt is always on top of this security issues

Antony

May 10 2005, 02:00 PM

Matt, everytime we have a new Release, could you please add the files as an upgrade kit in the Client Centre, Even perhaps Increment the version number. This would encourage people to upgrde to the next Release more I think.

Smoothie

May 10 2005, 03:21 PM

Dumb question but, have the main files been updated?

Matt

May 10 2005, 03:24 PM

They have

muks

May 10 2005, 03:26 PM

QUOTE(Will78 @ May 10 2005, 09:16 PM)

i feel more secure knowing Matt is always on top of this security issues

my point exactly

--------------------

Smoothie

May 10 2005, 03:30 PM

QUOTE(Matt @ May 10 2005, 11:24 AM)

They have

Dumb me, I should have read the Company News and Updates forum first.

andrew_22

May 10 2005, 07:53 PM

Thanks!

princetontiger

May 10 2005, 07:54 PM

Thank you!

kacy

May 10 2005, 08:24 PM

Thanks Matt

.Jack

May 10 2005, 09:42 PM

Thankie Doodle

flesh_magick

May 10 2005, 09:53 PM

YAY just did it.

Thanks for posting the updates as often as they have been coming. Makes me feel warm and fuzzy in my heart

abobader

May 10 2005, 10:01 PM

Thanks Matt, Well Done indeed.

That simply what make IPB rules.

cooldude7273

May 10 2005, 10:02 PM

Great work Matt!

Μichael

May 11 2005, 01:54 PM

I have a question about this lastest security patch. It says to apply the sources/lib/usercp_functions.php edit to the spot for the user's avatar, but similar code exists in the spot for user's photo as well:

CODE

        //-----------------------------------------
        // Check to make sure we don't just have
        // http:// in the URL box..
        //-----------------------------------------

        if ( preg_match( "/^http://$/i", $ibforums->input['url_photo'] ) )
        {
            $ibforums->input['url_photo'] = "";
        }

Is this function not prone to the same exploit that the official patch was for? Shouldn't the patch be applied here as well?

sev7en

May 11 2005, 01:59 PM

Thanks for the update

Will L.

May 11 2005, 02:03 PM

for Fusoya i think you are right so it would look like this

QUOTE

//-----------------------------------------
// Check to make sure we don't just have
// http:// in the URL box..
//-----------------------------------------

if ( preg_match( "/^http://$/i", $ibforums->input['url_photo'] ) )
{
$ibforums->input['url_photo'] = "";
}

if ( preg_match( "#java script:#is", $ibforums->input['url_photo'] ) )
{
$ibforums->input['url_photo'] = "";
}

fernis

May 11 2005, 03:01 PM

Thanks

Μichael

May 11 2005, 03:07 PM

QUOTE(Will78 @ May 11 2005, 10:03 AM)

for Fusoya i think you are right so it would look like this

Thanks, can we get an official word on whether that is needed or if the vulnerability for this is patched elsewhere?

abobader

May 11 2005, 03:10 PM

QUOTE(Will78 @ May 11 2005, 05:03 PM)

for Fusoya i think you are right so it would look like this

Can FuSoYa matters conform by the staff here? thanks Will78.

I notice as well the upgarde file been change, myabe thay do it already.

Sire

May 11 2005, 05:31 PM

This is great. IPB has beta testers out there looking for bugs for us all the time. You couldn't ask for anything better.

flesh_magick

May 11 2005, 10:26 PM

QUOTE(FuSoYa @ May 11 2005, 08:54 AM)

I have a question about this lastest security patch. It says to apply the sources/lib/usercp_functions.php edit to the spot for the user's avatar, but similar code exists in the spot for user's photo as well:

CODE

        //-----------------------------------------
        // Check to make sure we don't just have
        // http:// in the URL box..
        //-----------------------------------------

        if ( preg_match( "/^http://$/i", $ibforums->input['url_photo'] ) )
        {
            $ibforums->input['url_photo'] = "";
        }

Is this function not prone to the same exploit that the official patch was for? Shouldn't the patch be applied here as well?

I noticed that too FuS

I almost added the code there instead of the avatar section

MBCanada.com

May 14 2005, 12:45 AM

Bump - Anyone know?

abobader

May 14 2005, 04:16 AM

QUOTE(FuSoYa @ May 11 2005, 06:07 PM)

Thanks, can we get an official word on whether that is needed or if the vulnerability for this is patched elsewhere?

Can Matt or any of the IPB staff conform this? Thanks in advanced.