[IPS News]

IPB 2.1.x Low Risk Security Update

It has come to our attention that a relatively low risk XSS attack can be performed on an administrator in IPB 2.1.x. For this XSS attack to take place, the malicious user must store an avatar on their server that appears to be a legitimate image file but is actually a script that is set to redirect the browser to another location. The administrator must have 'root' access and must load the avatar in the ACP by searching for the member in the ACP's "Search Member" form.

Even though the XSS attack requires a very specific sequence of events, we consider that it's worth performing this security update. The security update is only a single ACP file which removes the user's avatar from displaying in the search results page. IPB 2.2.0, currently nearing release candidate status has increased security in the ACP which means this attack would not be successful.

To update your installation, simply download the attached file and upload the file "sources/action_admin/member.php" over the one currently used by your installation.

Attached File(s)

•  ipb217.zip (24.46K)
  Number of downloads: 9323

[IPS News]

Manual Update Instructions
Edit the file 'sources/action_admin/member.php'. Line 3456

CODE

$joined = $this->ipsclass->get_date( $r['joined'], 'JOINED' );

$people .= <<<EOF
<td width='{$td_width}%' align='left' class='$class'>

Add above it:

CODE

$avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";

So the final code reads:

CODE

$avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";

$joined = $this->ipsclass->get_date( $r['joined'], 'JOINED' );

$people .= <<<EOF
<td width='{$td_width}%' align='left' class='$class'>

[IPS News]

IPB 2.1.7 Security Update - Medium Priority

It has come to our attention that due to the way some browsers interpret image tags a vulnerability exists which allows a malicious user to perform an XSS attack by forcing an "onerror" event in the snapback tag.

To update your board, simply download the attached ZIP file, unarchive it and upload 'sources/classes/bbcode/class_bbcode_core.php' over the one on your server. If you wish to patch your board manually, please read the second post in this announcement.

The main download has been updated as of the time of this announcement.

Note: IPB 2.2.0 (all versions) are NOT affected by this vulnerability.

Attached File(s)

•  sources.zip (10.87K)
  Number of downloads: 4043

[IPS News]

Manual Patch Instructions for "sources/classes/bbcode/class_bbcode_core.php"

Function "regex_check_image", line 924:

Change:

CODE

$default = "[img]".$url."[/img]";

To:

CODE

$default = "[img]".str_replace( '[', '&# 091;', $url )."[/img]";

Change:

CODE

if ( preg_match( "/[?&;]/", $url) )

To:

CODE

if ( preg_match( "/[?&;\<\[]/", $url) )

Function "post_db_parse_bbcode", Line 486

Change:

CODE

preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

To:

CODE

preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

if ( $row['bbcode_tag'] == 'snapback' )
{
    $match[2][$i] = intval( $match[2][$i] );
}