[IPS News]

It has come to our attention that a possible vulnerability in two sections of IPB's code could lead to XSS (cross site scripting). This issue has been rated as a medium risk and as part of our ongoing efforts to ensure the security of our products we have released the required patch.

Security Update

The main download files have already been updated. You can log into your client center and re-download the zip and update:

• sources/topics.php
  
• sources/search.php

Or you can follow the instructions below to manually patch your board. We no longer offer IPB 1.3 for download. If you are still running IPB 1.3 then follow the manual patch instructions below.

Manually Patching

Open "sources/topics.php" in a text editor.
Circa line: 805

Quote

//-----------------------------------------
// Highlight...
//-----------------------------------------

if ($ibforums->input['hl'])
{
$ibforums->input['hl'] = $std->clean_value(urldecode($ibforums->input['hl']));
$loosematch = strstr( $ibforums->input['hl'], '*' ) ? 1 : 0;
$keywords = str_replace( '*', '', str_replace( "+", " ", str_replace( '-', '', trim($ibforums->input['hl']) ) ) );
$word_array = array();
$endmatch1 = "";
$endmatch2 = "(.)";

Open "sources/search.php"
Circa line: 1499

Quote

function convert_highlite_words($words="")
{
global $std;
$words = $std->clean_value(trim(urldecode($words)));

Customers can download the individual patched files here.

Affected Versions
IPB 1.3.x
IPB 2.0.x

IPS wishes to thank...
James from GulfTech for bringing this to our attention first.

[Matt]

This issue also affects our Invision Community Blog software.

The main download has been updated. Simply re-download the blog zip and update "modules/blog/search.php" or follow the manual patch instructions below:

Open modules/blog/search.php

Change line 501-503 to:
global $std;

$words = $std->clean_value(trim(urldecode($words)));

[Matt]

James from Gultech has passed on two more possible vulnerabilities.

File: sources/functions.php
Line: 1925

Quote

function my_getcookie($name)
{
global $ibforums;

if ( isset($_COOKIE[$ibforums->vars['cookie_id'].$name]) )
{
if ( ! in_array( $name, array('topicsread', 'forum_read', 'collapseprefs') ) )
{
return $this->clean_value(urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]));
}
else
{
return urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);
}
}
else
{
return FALSE;
}
}

File: sources/usercp.php
Line: 382

Quote

if ( $id )
{
$DB->simple_exec_query( array( 'delete' => 'announcements', 'where' => 'announce_id='.$id ) );
}

The main download zip has been updated.

[Josh]

There are two important security updates now available for Invision Gallery. The main download has already been updated. If you have not modified your gallery, you can download the zip file again and upload modules/gallery/post.php and modules/gallery/img_view.php

If you need to make manual changes, here are the instructions:

post.php

Around line 134, find this code:

				   case 'editreply':

Add this after it:

					   $ibforums->input['comment'] = intval( $ibforums->input['comment'] );

img_view.php

Around line 579, find this code:

			   if( $ibforums->vars['gallery_use_rate'] && ( $this->cat['rate'] || $this->album ) )

Add this on the line before it:

			   $ibforums->vars['gallery_use_rate'] = intval( $ibforums->vars['gallery_use_rate'] );

Save and upload the files.

Thanks to James from Gultech for passing along these issues.