Jump to content


Welcome to IPS!

Feel free to browse our community to get a feel for how our community software operates. Post in the pre-sales forum with any questions you have before purchasing or use the Test Posting forum to post a few messages yourself! You can also get a free demo to try the IPS Community Suite yourself.

Already an active IPS client?

Login with the same email address and password you use for the client area to access client-only areas.

- - - - -

OpenID Security Update for IP.Board 3.0.2

Started by IPS News, Aug 26 2009 10:07 AM

  • Please log in to reply
1 reply to this topic

#1 IPS News

    Public Relations

  • IPS Staff
  • 710 posts

Posted 26 August 2009 - 10:07 AM

OpenID Security Update for IP.Board 3.0.2

We are investigating issues related to OpenID not completely authenticating data which can result in the security of your community being compromised. This issue can only impact your community if you have enabled OpenID logins as the OpenID is disabled when IPS ships IP.Board releases.

Protecting Your IP.Board

There are two methods to protect your community.

Method 1: Disable OpenID

The easiest fix is to simply disable OpenID logins. These login systems are disabled by default in IP.Board so unless you have specifically turned on OpenID you are already protected. This screen shot shows you what to look for in your AdminCP:

Attached Image: 20090826-d6rx9uxahxnry1793uftr22ypj.jpg


  • Click "Log In Management" in the AdminCP
  • Look for OpenID in the list. If there is already a red "X" then OpenID is disabled and your community is safe from this issue.
  • If you see a green check: disable OpenID by clicking the drop-down menu to the right, edit details, and set "Log In Enabled" to "No"

If OpenID is disabled and you do not use/need this login method you do not need to do anything further.


Method 2: Upload Source File

If OpenID is in use in your community and you need to keep it enabled simply upload the attached file to your forums directory. The path is included in the zip file and it is just one file.

Attached File  260809.zip   5.17K   5400 downloads





Support services note: as this update is a single-file update or the issue can be eliminated by simply disabling OpenID in the AdminCP we do request that clients apply either the setting or file fix themselves if possible. The 3.0.2 download has been updated as of the time of this announcement.

#2 IPS News

    Public Relations

  • IPS Staff
  • 710 posts

Posted 26 August 2009 - 10:09 AM

Manual Instructions
For power users who wish to manually patch their installations. Most users can ignore this information.


File: admin/sources/loginauth/openid/auth.php
Line: 371

if( $check['email'] )
		{
			$this->member_data = IPSMember::load( $check['email'], 'extendedProfile,groups' );
		}
		else
		{
			$this->member_data = array( 'member_id' => 0 );
		}

Back to News and Information


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Invision Power Services
  2. Welcome to IPS
  3. News and Information
  4. Community Rules