Jump to content


- - - - -

IPB 2.1.7 Security Update (Low and Medium Risk)

Started by IPS News, Oct 05 2006 10:05 AM

This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1 IPS News

IPS News

    Spam Happy

  • IPS Staff
  • 766 posts

Posted 05 October 2006 - 10:05 AM

IPB 2.1.x Low Risk Security Update

It has come to our attention that a relatively low risk XSS attack can be performed on an administrator in IPB 2.1.x. For this XSS attack to take place, the malicious user must store an avatar on their server that appears to be a legitimate image file but is actually a script that is set to redirect the browser to another location. The administrator must have 'root' access and must load the avatar in the ACP by searching for the member in the ACP's "Search Member" form.

Even though the XSS attack requires a very specific sequence of events, we consider that it's worth performing this security update. The security update is only a single ACP file which removes the user's avatar from displaying in the search results page. IPB 2.2.0, currently nearing release candidate status has increased security in the ACP which means this attack would not be successful.

To update your installation, simply download the attached file and upload the file "sources/action_admin/member.php" over the one currently used by your installation.

Attached Files


#2 IPS News

IPS News

    Spam Happy

  • IPS Staff
  • 766 posts

Posted 05 October 2006 - 10:14 AM

Manual Update Instructions
Edit the file 'sources/action_admin/member.php'. Line 3456
CODE
$joined = $this->ipsclass->get_date( $r['joined'], 'JOINED' );

$people .= <<<EOF
<td width='{$td_width}%' align='left' class='$class'>
Add above it:

CODE
$avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";


So the final code reads:

CODE
$avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";

$joined = $this->ipsclass->get_date( $r['joined'], 'JOINED' );

$people .= <<<EOF
<td width='{$td_width}%' align='left' class='$class'>

#3 IPS News

IPS News

    Spam Happy

  • IPS Staff
  • 766 posts

Posted 17 October 2006 - 09:44 AM

IPB 2.1.7 Security Update - Medium Priority

It has come to our attention that due to the way some browsers interpret image tags a vulnerability exists which allows a malicious user to perform an XSS attack by forcing an "onerror" event in the snapback tag.

To update your board, simply download the attached ZIP file, unarchive it and upload 'sources/classes/bbcode/class_bbcode_core.php' over the one on your server. If you wish to patch your board manually, please read the second post in this announcement.

The main download has been updated as of the time of this announcement.

Note: IPB 2.2.0 (all versions) are NOT affected by this vulnerability.

Attached Files


#4 IPS News

IPS News

    Spam Happy

  • IPS Staff
  • 766 posts

Posted 17 October 2006 - 09:45 AM

Manual Patch Instructions for "sources/classes/bbcode/class_bbcode_core.php"

Function "regex_check_image", line 924:

Change:

CODE
$default = "[img]".$url."[/img]";


To:

CODE
$default = "[img]".str_replace( '[', '&# 091;', $url )."[/img]";


Change:

CODE
if ( preg_match( "/[?&;]/", $url) )


To:

CODE
if ( preg_match( "/[?&;\<\[]/", $url) )


Function "post_db_parse_bbcode", Line 486

Change:

CODE
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );


To:

CODE
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

if ( $row['bbcode_tag'] == 'snapback' )
{
    $match[2][$i] = intval( $match[2][$i] );
}

Back to News and Information


  1. Invision Power Services
  2. Welcome to IPS
  3. News and Information
  4. Privacy Policy
  5. Community Rules ·