Jump to content


Welcome to IPS!

Feel free to browse our community to get a feel for how our community software operates. Post in the pre-sales forum with any questions you have before purchasing or use the Test Posting forum to post a few messages yourself! You can also get a free demo to try the IPS Community Suite yourself.

Already an active IPS client?

Login with the same email address and password you use for the client area to access client-only areas.

- - - - -

IP.Blog 1.2.4 Security Update

Started by IPS News, Dec 01 2006 04:52 PM

  • Please log in to reply
1 reply to this topic

#1 IPS News

IPS News

    Public Relations

  • IPS Staff
  • 712 posts

Posted 01 December 2006 - 04:52 PM

IP.Blog 1.2.4 Security Update

It has come to our attention that an attack can be performed using IP.Blog version 1.2.4 and below via SQL injection.

The download for IP.Blog 1.2.4 has been updated. To patch your current installation, download the attached file and upload it to (modules/blog/lib/entry_reply_entry.php) on your server. See the reply to this announcement for manual patching instructions if you do not wish to upload the entire file.

Attached File  entry_reply_entry.php   8.49K   2339 downloads

Note: IP.Blog installations integrated with an IP.Board version 2.2 are not impacted due to IP.Board 2.2's new security enhancements.

#2 IPS News

IPS News

    Public Relations

  • IPS Staff
  • 712 posts

Posted 01 December 2006 - 04:53 PM

Manual patch instructions:

You only need to perform manual patching if you do not want to upload the file attached in the message above.

modules/blog/lib/entry_reply_entry.php lines 53-58 change from:

CODE
//-------------------------------------------------
        // Do we have the information needed
        //-------------------------------------------------
        if (!isset( $this->ipsclass->input['eid'] ) or !intval( $this->ipsclass->input['eid'] ) )
        {
            $this->ipsclass->Error( array( LEVEL => 1, MSG => 'missing_files') );
        }

        //-------------------------------------------------
        // Load the entry
        //-------------------------------------------------
        $this->entry = $this->ipsclass->DB->build_and_exec_query( array ( 'select'    =>    '*',
                                                       'from'    =>    'blog_entries',
                                                       'where'    =>    "entry_id = {$this->ipsclass->input['eid']}"
                                             )         );

TO:

CODE
//-------------------------------------------------
        // Do we have the information needed
        //-------------------------------------------------
        $eid = intval($this->ipsclass->input['eid']);
        if ( !$eid )
        {
            $this->ipsclass->Error( array( 'LEVEL' => 1, 'MSG' => 'missing_files') );
        }

        //-------------------------------------------------
        // Load the entry
        //-------------------------------------------------
        $this->entry = $this->ipsclass->DB->build_and_exec_query( array ( 'select'    =>    '*',
                                                       'from'    =>    'blog_entries',
                                                       'where'    =>    "entry_id = {$eid}"
                                             )         );

Back to News and Information


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Invision Power Services
  2. Welcome to IPS
  3. News and Information
  4. Community Rules