Archived

This topic is now archived and is closed to further replies.

IPB 2.1.7 Security Update (Low and Medium Risk)

88 posts in this topic

Posted

Manual instructions? I have lots of edits on member.php

Share this post


Link to post
Share on other sites

Posted

Manual instructions? I have lots of edits on member.php


So do I, haha.

Would you please be able to provide a list of the specific functions of member.php that have been modified?

Share this post


Link to post
Share on other sites

Posted

Manual instructions? I have lots of edits on member.php



They're now toward the bottom of the announcement.

Share this post


Link to post
Share on other sites

Posted

Open sources/action_admin/member.php. Find:

//-----------------------------------------
            // Avatar?
            //-----------------------------------------
                        
            if ( $r['avatar_location'] and $r['avatar_type'] )
            {
                $avatar = $this->ipsclass->get_avatar( $r['avatar_location'], 1, '25x25', $r['avatar_type'] );
                
                if ( ! strstr( $avatar, 'width=' ) )
                {
                    $avatar = str_replace( '<img', "<img width='25' height='25'", $avatar );
                }
            }
            else
            {
                $avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";
            }

Change to:

//-----------------------------------------
            // Avatar?
            //-----------------------------------------
            
            //-----------------------------------------
            // SECURITY UPDATE: Removing  user avatar
            //-----------------------------------------
            
            /*if ( $r['avatar_location'] and $r['avatar_type'] )
            {
                $avatar = $this->ipsclass->get_avatar( $r['avatar_location'], 1, '25x25', $r['avatar_type'] );
                
                if ( ! strstr( $avatar, 'width=' ) )
                {
                    $avatar = str_replace( '<img', "<img width='25' height='25'", $avatar );
                }
            }
            else
            {
                $avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";
            }*/
            
            $avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";


Save and upload.

EDIT: D'oh, you added them to the announcement too apparently.

Share this post


Link to post
Share on other sites

Posted

Ok, thanks very much for the update and the instructions! :P

Share this post


Link to post
Share on other sites

Posted

Not to get offtopic, but the impact that this announcement had on our Adwords campaign was amazing. Impressions for the term invision power board went from a modest ~350 per day to 263,000 in 30 minutes :o That's a lot of people searching for version strings :(

Share this post


Link to post
Share on other sites

Posted

I'm confident that this won't be a huge problem. It requires such a specific sequence of events to execute, most script kiddies won't really bother. In any case, we had the fix out around two hours after the vulnerability was made public.

Share this post


Link to post
Share on other sites

Posted

so all users have now the same avatar ?

Share this post


Link to post
Share on other sites

Posted

I like how IPS added "Low Risk"

In fact, i hope in the future you guys add a section to each news announcement about the level of risk. (If it's not in the title)
At least that will give people some idea how quickly the update should be applied.
Maybe like three levels...high, moderate, low.

Anyways, just a thought.

Share this post


Link to post
Share on other sites

Posted

strange .. my 2.1.7 already has that added .. file dated 10th August when I downloaded ??

Share this post


Link to post
Share on other sites

Posted

in the manual instruction ther's an error: it's missing the /* tag

Share this post


Link to post
Share on other sites

Posted

Strange-- the manual instructions as given in the update thread only add one line; after the else statement. FuSoYa's code comments out the IF block entirely. Which is it? I did the one from the official thread, though I kind of see the point of FuSoYa's code--the IF block does not matter now, so might as well comment it out.

Also, is it line 3456 or line 3446? My file had it listed as line 3446, and I can't recall modding this file, though I suppose it's possible.

As for the question above about the missing comment tag--which manual instructions are you talking about? The one in this thread is not missing the open block comment mark. And there are no comments being added in the manual instructions in the main thread.

Share this post


Link to post
Share on other sites

Posted

You will only need to do the manual instructions if you plan to edit your file.

If you want to use the pre-edited one, you can simply upload it over your current one. The changes noted in the 'Manual Changes' are a simplified version that do the same thing as the changes in the updated file. They are simply different ways of doing the same thing.

Share this post


Link to post
Share on other sites

Posted

I like how IPS added "Low Risk"



In fact, i hope in the future you guys add a section to each news announcement about the level of risk. (If it's not in the title)


At least that will give people some idea how quickly the update should be applied.


Maybe like three levels...high, moderate, low.



Anyways, just a thought.



Every update is important and they should all be applied as soon as possible.

Except when a new release is being tested and you plan on moving to that as soon as the final is released, then I suppose one could wait, I might get bored and apply it anyways.

Share this post


Link to post
Share on other sites

Posted

well at least ips is doing a good job on this. il remember this when i get a license.

Share this post


Link to post
Share on other sites

Posted

Every update is important and they should all be applied as soon as possible.



Except when a new release is being tested and you plan on moving to that as soon as the final is released, then I suppose one could wait, I might get bored and apply it anyways.




Agreed, its also a good idea to subscribe to that forum, that way you can get the auto replys once they are posted and apply the updates as soon as they are released :)

Share this post


Link to post
Share on other sites

Posted

Would this bug not require admin session to execute?

Installed anyhow.

Share this post


Link to post
Share on other sites

Posted

strange .. my 2.1.7 already has that added .. file dated 10th August when I downloaded ??




yeah I went to edit my files for each board and found the edit already there. :o I have 2.1.6 files for member.php but they didn't need updating according to 2.1.7 upgrade info. Anyway I thought it strange that this patch was already in this file....did IPS have a momentary lapse of reason on what thier files contained in code? :P :lol:

Share this post


Link to post
Share on other sites

Posted

Would this bug not require admin session to execute?



Installed anyhow.


it requires admin session but it obtains it through referer

Share this post


Link to post
Share on other sites

Posted

yes, I went to edit my file and the line was already in! (I remember something like this been out before too)

Share this post


Link to post
Share on other sites

Posted

Thank you for the update, IPS! :) Keep it up!

Share this post


Link to post
Share on other sites

Posted

Yes, thanks.

Share this post


Link to post
Share on other sites

Posted

Even IPB 2.1.7 member.php file has this edit in there already...so why the update announcement when it already exists in the file? :rolleyes: I got better things to do then update a file that is already updated. :ermm:

Share this post


Link to post
Share on other sites

Posted

This edit was only added to 2.1.7 since this patch was released.

I can assure you it was not added before hand, as this was not even a known issue.

Share this post


Link to post
Share on other sites

  • Who's Browsing   0 members

    No registered users viewing this page.