[IPS News]

It has come to our attention that there is a possible XSS exploit present in both IP.Board 2.3.6 and 3.0.x. This vulnerability allows the attacker to insert CSS or Javascript into certain BBCodes that is executed when a user displays the page.

Resolution
Please download the relevant zip for your IP.Board. Expand the zip file and upload the file over the copy on your server. No other action is required.

IP.Board 3.0.5
 305-march-10.zip (35.55K)
Number of downloads: 1063

Please note this patch will only work with IP.Board 3.0.5. If you are using an earlier version of IP.Board 3.0 then you will need to upgrade to IP.Board 3.0.5. After you have upgraded, you will not need to add this patch.

IP.Board 2.3.6
 236xss_march10.zip (15.61K)
Number of downloads: 1422

The main download zips have been updated. If you have downloaded either 2.3.6 or 3.0.5 since the time of this announcement, then you do not need to patch your installation.

[Matt]

Patch Update for IP.Board 3.0.5

We have been working over the past week with Aoyagi Ritsuka on hardening the code for several BBCode tags. I have attached a new zip in the original post for IP.Board 3.0.5 which contains the original fix plus improvements in security in other tags which will prevent future exploits from being successful.

This patch also includes a fix for a minor issue with hidden redirect scripts being able to remove user's avatars and/or photos.

As usual, please download the zip file, expand and upload the files over the copies on your server. No further action is required.

The main download zip has been updated at the time of this post.

Note: Zip file was updated at 16:30 GMT to fix a platform specific issue.