Help - Search - Members - Calendar
Full Version: IP.Board 2.2.x and 2.3.x Security Patch
Invision Power Services > Invision Power Services, Inc. > Company News and Updates
IPS News
Aug 29 2008, 05:17 PM
IP.Board 2.2.x and 2.3.x Security Patch

We have released a single-file security patch which impacts IP.Board 2.2.x and 2.3.x versions. This is a critical update. Please apply the patch as soon as possible or contact our technical support via the client area if you need assistance.

Issue

It is possible to perform a remote SQL exploit and inject SQL code in an existing IPB query.

Patching Your Board

If you have downloaded your IP.Board after the time of this announcement, the patch is already included in your files. To patch an existing installation, simply download the attached file and overwrite: sources/action_public/xmlout.php

Click to view attachment

IPS News
Aug 29 2008, 05:19 PM
Manual Patching

If you have PHP knowledge and wish to manually patch your file you can perform the following modifications to: sources/action_public/xmlout.php


Line 1076 change:

CODE
'where'  => "{$check_field}='{$name}'",


to:

CODE
'where'  => "{$check_field}='". $this->ipsclass->DB->add_slashes( $name ) . "'",

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.