Jump to content


- - - - -

IP.Blog 1.2.4 Security Update

Started by IPS News, Dec 01 2006 04:52 PM

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#-19 IPS News

IPS News

    Spam Happy

  • IPS Staff
  • 766 posts

Posted 01 December 2006 - 04:52 PM

IP.Blog 1.2.4 Security Update

It has come to our attention that an attack can be performed using IP.Blog version 1.2.4 and below via SQL injection.

The download for IP.Blog 1.2.4 has been updated. To patch your current installation, download the attached file and upload it to (modules/blog/lib/entry_reply_entry.php) on your server. See the reply to this announcement for manual patching instructions if you do not wish to upload the entire file.

Attached File  entry_reply_entry.php   8.49K   2340 downloads

Note: IP.Blog installations integrated with an IP.Board version 2.2 are not impacted due to IP.Board 2.2's new security enhancements.

#-18 IPS News

IPS News

    Spam Happy

  • IPS Staff
  • 766 posts

Posted 01 December 2006 - 04:53 PM

Manual patch instructions:

You only need to perform manual patching if you do not want to upload the file attached in the message above.

modules/blog/lib/entry_reply_entry.php lines 53-58 change from:

CODE
//-------------------------------------------------
        // Do we have the information needed
        //-------------------------------------------------
        if (!isset( $this->ipsclass->input['eid'] ) or !intval( $this->ipsclass->input['eid'] ) )
        {
            $this->ipsclass->Error( array( LEVEL => 1, MSG => 'missing_files') );
        }

        //-------------------------------------------------
        // Load the entry
        //-------------------------------------------------
        $this->entry = $this->ipsclass->DB->build_and_exec_query( array ( 'select'    =>    '*',
                                                       'from'    =>    'blog_entries',
                                                       'where'    =>    "entry_id = {$this->ipsclass->input['eid']}"
                                             )         );

TO:

CODE
//-------------------------------------------------
        // Do we have the information needed
        //-------------------------------------------------
        $eid = intval($this->ipsclass->input['eid']);
        if ( !$eid )
        {
            $this->ipsclass->Error( array( 'LEVEL' => 1, 'MSG' => 'missing_files') );
        }

        //-------------------------------------------------
        // Load the entry
        //-------------------------------------------------
        $this->entry = $this->ipsclass->DB->build_and_exec_query( array ( 'select'    =>    '*',
                                                       'from'    =>    'blog_entries',
                                                       'where'    =>    "entry_id = {$eid}"
                                             )         );

Back to News and Information


  1. Invision Power Services
  2. Welcome to IPS
  3. News and Information
  4. Privacy Policy
  5. Community Rules ·