1 reply to this topic

[IPS News]

A minor security issue has been discovered within the forum password system that could allow exposure of topic titles in password-protected forums. This issue does not allow the topics to be viewed and only affects forums that are password protected.

We have released a simple patch for this issue. To apply, simply download the correct zip file and upload the file(s) over the ones on your server. There is no need to rebuild or reset any templates or language packs. Customers with active support are welcome to ask technical support for assistance if required.

IP.Board 3.0.x
 patch-feb-3.0.zip   10.87K   537 downloads

IP.Board 3.1.4
 patch-feb-3.1.zip   17.9K   1404 downloads

In addition to the security patch described above, the IP.Board 3.1.4 patch also includes an update to our mobile API designed to resolve some issues, provide better integration for our iPhone application and to provide IP.Gallery 4.0 support alongside IP.Gallery 3.2.x.

The main download zips have been updated at the time of this post so if you have downloaded after the date of this message you do not need to apply this patch.

[bfarber]

If you are using a version of IP.Board 3.1 less than 3.1.4 you may optionally upgrade to 3.1.4 to resolve the issue, or manually apply the following patch to your site.  To manually apply this security patch to your IP.Board 3.1.x installation:

Open /admin/applications/forums/modules_public/forums/forums.php and find

return ( isset( $this->request['L'] ) AND $this->request['L'] == 1 ) ? $this->authenticateUser() : $this->renderForum();

Change this to

return !empty( $this->request['L'] ) ? $this->authenticateUser() : $this->renderForum();

Save this file and upload to your server, overwriting the original.