To the IPB team:
My apologies if this has been posted already but a quick search didn't turn anything up:
Invision Power Board HTML / TXT Attachment Script Insertion
http://secunia.com/advisories/16348/
(just in case this hadn't been reported to you all yet).
Thanks.
Full Version: Security Post
this seems to be a new one Matt will have to see this
2.0 onwards is not vulnerable.
QUOTE(Alex Duggan @ Aug 9 2005, 02:57 PM) 
2.0 onwards is not vulnerable.
thanks for the clarifcation Alex
It says confirmed in 2.0.4 Can you confirm this 
I don't allow attachments so not an issue for me.
I don't allow attachments so not an issue for me.
QUOTE(Alex Duggan @ Aug 9 2005, 02:57 PM)
2.0 onwards is not vulnerable.
Alex:
Thanks.
At the URL, they specifically mentioned:
"The vulnerability has been confirmed in version 2.0.4 and also reported in version 1.0.3. Other versions may also be affected."
I assume that the 2.0.4 mentioned is incorrect then?
Thanks.
Just came across that page and was also wondering if 2.0.4 is vulnerable or not.
QUOTE
There isn't a "patch" as such as it's the incorrect way in which IE handles mime-types.
I recommend that you change the attachment types (ACP -> Attachments -> Attachment Types) for: php, txt, htm, html to "unknown/unknown".
I recommend that you change the attachment types (ACP -> Attachments -> Attachment Types) for: php, txt, htm, html to "unknown/unknown".
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.