Jump to content
bbh_blocked_dnftl
Rules, Terms of Use, & Privacy Policy ×
Tiberium Technology® Forums

Welcome to Tiberium Technology® Forums

Welcome to Tiberium Technology® Forums, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of Tiberium Technology® Forums by signing in or creating an account.
  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members.

Guest Message by DevFuse

IP.Board 3.3.x-3.4.x and IP.Gallery 4.2.x-5.0.x Security Update

By [R] NuclearGeneral
in IPS RSS

 Share

Recommended Posts

  • Root Admin
Newbie

[R] NuclearGeneral

Posted
  • Root Admin
Posted

We are releasing security patches for IP.Board 3.3.4, IP.Board 3.4.5, IP.Gallery 4.2.1 and IP.Gallery 5.0.5 to address four cross-site scripting issues recently reported to us.

 

It has come to our attention that an unpatched security issue exists in a third party script included with the IP.Board release called "Flowplayer". While this script is included with IP.Board, it is presently only utilized by IP.Gallery to facilitate embedding of certain media files when the administrator allows them to be uploaded. The exploit that has been reported to us may expose a specific type of cross-site scripting vulnerability through Flowplayer and requires a certain level of user-interaction to trigger (in other words, a user must follow a link to the affected target - to our knowledge this issue cannot be triggered automatically by viewing a page normally accessible through typical navigation of the software).

It has come to our attention that an unpatched security issue exists in a third party script included with the IP.Board release called "swfupload". The cross site scripting vulnerability, like the one described above, requires a user to visit a specially crafted link to the swfupload flash file directly, where-by arbitrary javascript may be executed.

It has come to our attention that two potential cross site scripting vulnerabilities exist within the IP.Board editor routines. These vulnerabilities are not persistent (meaning you can only trigger them against yourself, as opposed to causing them to be stored in the database and triggered against another user), however we feel that it is in the best interests of our clients to release an update to address the issues reported.


We are releasing patches today to address all four issues.

 

To apply the patch, please perform the following steps:

  • Identify which version of IP.Board you are running. If you are running IP.Board 3.3.x, you will also need to identify which version of IP.Gallery you are running.
  • Download the appropriate patch file below
  • Extract the contents locally on your computer
  • Upload the contents of the "upload" folder to your forum root directory (where conf_global.php is located), overwriting any files when prompted. Please refer to this knowledgebase article if you are unfamiliar with using FTP to transfer files to your server.
  • IF YOU ARE RUNNING BOARD 3.4.0 - 3.4.4, you will need to upgrade to 3.4.5, which as of today includes these patches.

 

If you are an IPS Community in the Cloud customer running IP.Board 3.3 or above, no further action is necessary; we have already automatically patched your account. If you are using a version older than IP.Board 3.3, you should contact support to upgrade.

 

If you are running IP.Board 3.4.x, please use the following zip:
http://community.invisionpower.com/filestore/public/style_extra/mime_types/zip.gif ipb3_4_and_gallery_5_0-9-13-2013.zip   79.87KB  2005 downloads

If you are running IP.Board 3.3.x without IP.Gallery, or with IP.Gallery 5.0.x, please use the following zip:
http://community.invisionpower.com/filestore/public/style_extra/mime_types/zip.gif ipb3_3_and_gallery_5_0-9-13-2013.zip   85.32KB  235 downloads

If you are running IP.Board 3.3.x with IP.Gallery 4.2.x, please use the following zip:
http://community.invisionpower.com/filestore/public/style_extra/mime_types/zip.gif ipb3_3_and_gallery_4_2-9-13-2013.zip   84.91KB  112 downloads

 

As of the time of this post, the full IP.Board and IP.Gallery packages in our client center have been updated.

If you are running any version of IP.Board or IP.Gallery that is not listed above, we recommend that you upgrade to the latest version to obtain these security fixes, as well as several other security and bug fixes.



We would like to thank Sahil Saif for bringing the flowplayer vulnerability to our attention.

We would like to thank Masato Kinugawa for bringing the swfupload vulnerability to our attention.

We would like to thank Jakub at http://hauntit.blogspot.com/ for bringing the editor vulnerabilities to our attention.



View the full article at IPS

 

 

(NG33) Global Adverts

(NG33) Xbox/PSN Tags

(NG33) BuyNow BBCode

(NG33) Members Donate Button

 


My Free Mods:
[NG23] News System v1.1.1 | Custom Pages v4.2 | (NG30) Google Adsense Ads v1.2.2
(NG30) Google Ads In Topic View v1.1.1 | (NG30) iClient Message In A Bottle v1.1.0 | (NG30) Forum Icon Legend v1.0.1
(NG30) Registration Notes v1.0.0 | (NG30) IP.Chat Message v1.0.0

My Paid Mods:
(NG33) Global Adverts v2.1.0 | (NG30) Rotating Banners v1.1.0 | (NG33) BuyNow BBCode v2.0.0
(NG33) Members Donate Button v1.0.8 | (NG33) Xbox/Psn Tags v1.0.3
(NG30) Image Align BBCode v1.0.0 | (NG30) Topic HTML v1.0.0 | (NG30) Google Checkout v1.0.0 | (NG30) LightBox Link BBCode v1.0.0

Mods In Development:
(NG33) Social Groups Addon - Group Payment Button | (NG33) Global Ads v2.2.0 Alpha 1

My Services:
Mod Installation Service | Skin Installation Service | Forum Upgrade Service

25d62e68d76cd7f75667a83cf86de91d.png571a3be8802342dcad9f07b714798cab.pngd650fe3d5d63fbbbab3604d6dc2414a0.png45b90d1ccf717d0a8f5d408051b94ef2.png
cacd42cb21d2574e269f68f0e79192dc.png62544e0b76b142e25661166266eb7944.png9fd72f98b8e65b7fb691407ee5d42391.png
b7abd2a44678e89c2bb3aa91e401ea99.png9687ca76387f2ede1fbb7df8d2508b3e.pngc8c57eb84a468892635126acaf75ff6f.png

---------------------------
For Support Questions About Your Hosting Account, Please Post Your Question In The HelpDesk System.
http://www.tiberiumstudios.net/Files/Sigs/sig.gif
---------------------------
My YouTube! Channel
The Price of War Clan.com
---------------------------

 

 


Common Developer Articles:
Creating Your Own Hooks | Creating A Template Plugin | Creating A Portal Plugin | Database Plugins/Callbacks | Supporting AdminCP Permissions | Template Logic and Variables
Using The Javascript Popup Class | Parsing BBCode & HTML | Adding a Profile View Tab | Convert an IPB 2 component to an IPB 3 application | Handling AJAX Requests

Settings Tab
[Your Settings]
Forums tab
[Forums]
Blog tab
[Your Blogs]
Downloads tab
[Your Files]
Gallery tab
[Your Albums]
Profile Tab
[Change Profile Info]
[About Me Page]
[Change Signature]
[Change Photo]
[Change Avatar]

NXE:
NuclearGeneral.png
NewNXE:
NuclearGeneral.png
DarkSigBar:
NuclearGeneral.png
XboxOneSig:
NuclearGeneral.png
XboxOneSig2:
NuclearGeneral.png

 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Guidelines, & Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.