Invision Power Services: IP.Blog 1.2.4 Security Update - Invision Power Services

Jump to content

Subscribe for Updates

Enter your email on our company home page sign up box to subscribe to our company mailing list to receive notifications when we post new announcements along with other news and updates!
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

IP.Blog 1.2.4 Security Update Rate Topic: -----

#1 User is offline   IPS News Icon

  • Public Relations
  • Icon
  • View blog
  • Group: IPS Staff
  • Posts: 177
  • Joined: 23-September 04
  • Gender:Male

Posted 01 December 2006 - 09:52 PM

IP.Blog 1.2.4 Security Update

It has come to our attention that an attack can be performed using IP.Blog version 1.2.4 and below via SQL injection.

The download for IP.Blog 1.2.4 has been updated. To patch your current installation, download the attached file and upload it to (modules/blog/lib/entry_reply_entry.php) on your server. See the reply to this announcement for manual patching instructions if you do not wish to upload the entire file.

Attached File  entry_reply_entry.php (8.49K)
Number of downloads: 2308

Note: IP.Blog installations integrated with an IP.Board version 2.2 are not impacted due to IP.Board 2.2's new security enhancements.
0

#2 User is offline   IPS News Icon

  • Public Relations
  • Icon
  • View blog
  • Group: IPS Staff
  • Posts: 177
  • Joined: 23-September 04
  • Gender:Male

Posted 01 December 2006 - 09:53 PM

Manual patch instructions:

You only need to perform manual patching if you do not want to upload the file attached in the message above.

modules/blog/lib/entry_reply_entry.php lines 53-58 change from:

CODE
//-------------------------------------------------
        // Do we have the information needed
        //-------------------------------------------------
        if (!isset( $this->ipsclass->input['eid'] ) or !intval( $this->ipsclass->input['eid'] ) )
        {
            $this->ipsclass->Error( array( LEVEL => 1, MSG => 'missing_files') );
        }

        //-------------------------------------------------
        // Load the entry
        //-------------------------------------------------
        $this->entry = $this->ipsclass->DB->build_and_exec_query( array ( 'select'    =>    '*',
                                                       'from'    =>    'blog_entries',
                                                       'where'    =>    "entry_id = {$this->ipsclass->input['eid']}"
                                             )         );

TO:

CODE
//-------------------------------------------------
        // Do we have the information needed
        //-------------------------------------------------
        $eid = intval($this->ipsclass->input['eid']);
        if ( !$eid )
        {
            $this->ipsclass->Error( array( 'LEVEL' => 1, 'MSG' => 'missing_files') );
        }

        //-------------------------------------------------
        // Load the entry
        //-------------------------------------------------
        $this->entry = $this->ipsclass->DB->build_and_exec_query( array ( 'select'    =>    '*',
                                                       'from'    =>    'blog_entries',
                                                       'where'    =>    "entry_id = {$eid}"
                                             )         );

0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users