Jump to content


Photo
- - - - -

IPB 2.1.7 Security Update (Low and Medium Risk)


This topic has been archived. This means that you cannot reply to this topic.
87 replies to this topic

#1 IPS News

IPS News

    Public Relations

  • IPS Staff
  • 1,063 posts

Posted 05 October 2006 - 10:06 AM

Reference topic: http://forums.invisi...howtopic=227937

#2 Alex

Alex

    Needs Hobby

  • +Clients
  • 4,487 posts

Posted 05 October 2006 - 10:09 AM

Manual instructions? I have lots of edits on member.php

Alex Hobbs
alex[at]alexhobbs.co.uk | Twitter


#3 Faraaz Sareshwala

Faraaz Sareshwala

    Advanced Member

  • +Clients
  • 456 posts

Posted 05 October 2006 - 10:16 AM

QUOTE(AH Modding @ Oct 5 2006, 07:09 AM) <{POST_SNAPBACK}>
Manual instructions? I have lots of edits on member.php

So do I, haha.

Would you please be able to provide a list of the specific functions of member.php that have been modified?

#4 Charles

Charles

    Needs Life

  • IPS Management
  • 9,043 posts

Posted 05 October 2006 - 10:16 AM

QUOTE(AH Modding @ Oct 5 2006, 11:09 AM) <{POST_SNAPBACK}>
Manual instructions? I have lots of edits on member.php


They're now toward the bottom of the announcement.

Charles Warner
Invision Power Services, Inc. - President
charles.warner@invisionpower.com

 

Please do not PM me but feel free to contact me by email.


#5 Michael

Michael

    Meet Jay

  • +Clients
  • 19,587 posts

Posted 05 October 2006 - 10:17 AM

Open sources/action_admin/member.php. Find:
CODE
//-----------------------------------------
            // Avatar?
            //-----------------------------------------
                        
            if ( $r['avatar_location'] and $r['avatar_type'] )
            {
                $avatar = $this->ipsclass->get_avatar( $r['avatar_location'], 1, '25x25', $r['avatar_type'] );
                
                if ( ! strstr( $avatar, 'width=' ) )
                {
                    $avatar = str_replace( '<img', "<img width='25' height='25'", $avatar );
                }
            }
            else
            {
                $avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";
            }

Change to:
CODE
//-----------------------------------------
            // Avatar?
            //-----------------------------------------
            
            //-----------------------------------------
            // SECURITY UPDATE: Removing  user avatar
            //-----------------------------------------
            
            /*if ( $r['avatar_location'] and $r['avatar_type'] )
            {
                $avatar = $this->ipsclass->get_avatar( $r['avatar_location'], 1, '25x25', $r['avatar_type'] );
                
                if ( ! strstr( $avatar, 'width=' ) )
                {
                    $avatar = str_replace( '<img', "<img width='25' height='25'", $avatar );
                }
            }
            else
            {
                $avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";
            }*/
            
            $avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";

Save and upload.

EDIT: D'oh, you added them to the announcement too apparently.

Contact Me: Email · Facebook · Twitter · Google+


#6 Faraaz Sareshwala

Faraaz Sareshwala

    Advanced Member

  • +Clients
  • 456 posts

Posted 05 October 2006 - 10:18 AM

Ok, thanks very much for the update and the instructions! tongue.gif

#7 Adam Kinder

Adam Kinder

    TehDev

  • Visitors
  • PipPipPipPipPipPip
  • 1,393 posts

Posted 05 October 2006 - 10:54 AM

Not to get offtopic, but the impact that this announcement had on our Adwords campaign was amazing. Impressions for the term invision power board went from a modest ~350 per day to 263,000 in 30 minutes shocked.gif That's a lot of people searching for version strings sad.gif

#8 Matt

Matt

    Chief Software Architect

  • IPS Management
  • 26,146 posts

Posted 05 October 2006 - 11:16 AM

I'm confident that this won't be a huge problem. It requires such a specific sequence of events to execute, most script kiddies won't really bother. In any case, we had the fix out around two hours after the vulnerability was made public.

Matt Mecham
Invision Power Services, Inc.
"I love deadlines. I especially like the whooshing sound they make as they go flying by."
-- Douglas Adams (1952 - 2001)


#9 ckoebke

ckoebke

    IPB Full Member

  • +Clients
  • 147 posts

Posted 05 October 2006 - 11:40 AM

so all users have now the same avatar ?

#10 sparc

sparc

    IPB Full Member

  • +Clients
  • 222 posts

Posted 05 October 2006 - 11:41 AM

I like how IPS added "Low Risk"

In fact, i hope in the future you guys add a section to each news announcement about the level of risk. (If it's not in the title)
At least that will give people some idea how quickly the update should be applied.
Maybe like three levels...high, moderate, low.

Anyways, just a thought.

#11 steve777

steve777

    Needs Hobby

  • Visitors
  • PipPipPipPipPipPipPip
  • 3,976 posts

Posted 05 October 2006 - 11:43 AM

strange .. my 2.1.7 already has that added .. file dated 10th August when I downloaded ??

#12 DarioDN

DarioDN

    IPB Newbie

  • Visitors
  • Pip
  • 1 posts

Posted 05 October 2006 - 02:13 PM

in the manual instruction ther's an error: it's missing the /* tag

#13 Vanceone

Vanceone

    IPB Newbie

  • Visitors
  • Pip
  • 4 posts

Posted 05 October 2006 - 02:40 PM

Strange-- the manual instructions as given in the update thread only add one line; after the else statement. FuSoYa's code comments out the IF block entirely. Which is it? I did the one from the official thread, though I kind of see the point of FuSoYa's code--the IF block does not matter now, so might as well comment it out.

Also, is it line 3456 or line 3446? My file had it listed as line 3446, and I can't recall modding this file, though I suppose it's possible.

As for the question above about the missing comment tag--which manual instructions are you talking about? The one in this thread is not missing the open block comment mark. And there are no comments being added in the manual instructions in the main thread.

#14 Keith J. Kacin

Keith J. Kacin

    SPB-HG-T

  • Visitors
  • PipPipPipPipPipPip
  • 2,885 posts

Posted 05 October 2006 - 02:52 PM

You will only need to do the manual instructions if you plan to edit your file.

If you want to use the pre-edited one, you can simply upload it over your current one. The changes noted in the 'Manual Changes' are a simplified version that do the same thing as the changes in the updated file. They are simply different ways of doing the same thing.
Keith J. Kacin
Kacin LLC
http://www.kacin.net

#15 Dark Phantom

Dark Phantom

    Spam Happy

  • +Clients
  • 876 posts

Posted 05 October 2006 - 02:57 PM

QUOTE(sparc @ Oct 5 2006, 12:41 PM) <{POST_SNAPBACK}>
I like how IPS added "Low Risk"

In fact, i hope in the future you guys add a section to each news announcement about the level of risk. (If it's not in the title)
At least that will give people some idea how quickly the update should be applied.
Maybe like three levels...high, moderate, low.

Anyways, just a thought.


Every update is important and they should all be applied as soon as possible.

Except when a new release is being tested and you plan on moving to that as soon as the final is released, then I suppose one could wait, I might get bored and apply it anyways.

#16 RaDiOAcTiVe

RaDiOAcTiVe

    IPB Member

  • Visitors
  • PipPip
  • 66 posts

Posted 05 October 2006 - 03:33 PM

well at least ips is doing a good job on this. il remember this when i get a license.
A nuclear weapon is a weapon which derives its destructive force from nuclear reactions of fission or fusion. As a result, even a nuclear weapon with a relatively small yield is significantly more powerful than the largest conventional explosives, and a single weapon is capable of destroying an entire city. -Wikipedia

Nukes "R" Us

#17 Midnightmadness

Midnightmadness

    Needs Serious Help

  • Visitors
  • PipPipPipPipPipPip
  • 2,247 posts

Posted 05 October 2006 - 04:27 PM

QUOTE(Dark Phantom @ Oct 5 2006, 03:57 PM) <{POST_SNAPBACK}>
Every update is important and they should all be applied as soon as possible.

Except when a new release is being tested and you plan on moving to that as soon as the final is released, then I suppose one could wait, I might get bored and apply it anyways.



Agreed, its also a good idea to subscribe to that forum, that way you can get the auto replys once they are posted and apply the updates as soon as they are released original.gif

#18 OverDriveAdamJ

OverDriveAdamJ

    IPB Full Member

  • +Clients
  • 139 posts

Posted 06 October 2006 - 12:18 AM

Would this bug not require admin session to execute?

Installed anyhow.
Posted Image Articles Posted Image Resources Posted Image Live Chat Posted Image Support Groups and much more!

Posted Image

I can't think of a better use of server resources... I really can't.

#19 Black Prowler

Black Prowler

    On The Prowl

  • +Clients
  • 1,265 posts

Posted 06 October 2006 - 02:08 AM

QUOTE(steve777 @ Oct 5 2006, 12:43 PM) <{POST_SNAPBACK}>
strange .. my 2.1.7 already has that added .. file dated 10th August when I downloaded ??



yeah I went to edit my files for each board and found the edit already there. shocked.gif I have 2.1.6 files for member.php but they didn't need updating according to 2.1.7 upgrade info. Anyway I thought it strange that this patch was already in this file....did IPS have a momentary lapse of reason on what thier files contained in code? tongue.gif laughing.gif

The 'Sports-Fanz Community Forum Network' Presents:
Carolina Panthers Message Board-Where The Fans ROAR!!!
Smashmouth Football Message Board For NFL Fanz!
The New Baseball Discussion Forum for MLB-Fanz!
...also check out our Music & Entertainment forum for Springsteen Fans Worldwide!:
Rendezvous With Boss Fans@Bruce Springsteen Message Board
 


#20 S.D.

S.D.

    IPB Newbie

  • Visitors
  • Pip
  • 28 posts

Posted 06 October 2006 - 04:01 AM

QUOTE(OverDriveAdamJ @ Oct 6 2006, 05:18 AM) <{POST_SNAPBACK}>
Would this bug not require admin session to execute?

Installed anyhow.

it requires admin session but it obtains it through referer