Invision Power Board 3.0.2 Security Update
Posted 18 August 2009 - 10:05 AM
It has come to our attention that there are two potential SQL injection vulnerabilities present in IP.Board 3.0 which can be taken advantage of via careful URL crafting.
The attached zip contains two files which fix the issue. The files are for IP.Board version 3.0.2 only. Those still running 3.0.0 or 3.0.1 will need to upgrade to 3.0.2 as soon as possible.
The main 3.0.2 download zip was updated at 10:15 am EST August 18, 2009. If you download 3.0.2 after this time: your files are already updated.
Simply download the attached zip file and upload the files contained within to your IP.Board directory on your server. No other action is required.
180809.zip 13.73KB 8191 downloads
Support Note: While our technical support department will apply this patch for you on request for those with support service, we strongly suggest you apply this patch yourself whenever possible. Applying the patch is a simple matter of uploading files to your server and, once done, your community is instantly protected without having to wait for our technicians to do the upload for you.
3.0.2 versions downloaded before posted time or unpatched
The vulnerability information was purchased by Beyond Security's SecuriTeam Secure Disclosure. The discoverer of the vulnerability requested to remain anonymous. IPS thanks this group for bringing it to our attention.
- Darken, ossipetz, Teddy Rogers and 42 others like this
Posted 18 August 2009 - 10:07 AM
For power users who wish to manually update the PHP source files.
$search_term = str_replace( """, '"', IPSText::parseCleanValue( urldecode( $this->request['search_term'] ) ) );
Lines 75 and 439:
$in_validate_key = IPSText::md5Clean( trim( urldecode( $this->request['aid'] ) ) );
- Darken, ossipetz, Wolfie and 26 others like this
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users