Jump to content


Welcome to DevFuse Forums


Sign In  Log in with Facebook

Create Account
Welcome to DevFuse Forums, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of DevFuse Forums by signing in or creating an account.
  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members.
 
Guest Message by DevFuse

(View All Products)Featured Products

  • Donations


    Help fund your forum with donations, setup goals and track member donations. Offer rewards for members donating.
  • Timeslips


    Have your members submit their race times and share with others.
  • Videos


    Allows your members to submit their own videos for community viewing. Support is included for all the major video sites.
  • Forms


    Build your own forms for your members without coding experience. Support included for pm, email and topics.
  • Collections


    Build a community database of items for your members. Full features custom fields included.

Photo

Possible XSS Issue Addressed in IP.Board


  • Please log in to reply
No replies to this topic

#1 Michael

Michael

    Management

  • Management
  • 3,544 posts
  • Gender:Male
  • IP.Board Version:IPB 3.4.x

Posted 26 April 2007 - 07:52 AM

Possible XSS Issue Addressed in IP.Board

It has come to our attention that a bug in Internet Explorer 6 and 7 can allow an XSS (cross-site scripting) attack by forcing uploaded image and PDF files to run as HTML which could allow an attack to run code through a user's browser. It should be noted that the XSS damage is significantly mitigated by the "HttpOnly" cookies which were introduced in IP.Board 2.2.0. This means that sensitive cookies in IP.Board 2.2.0 and higher cannot be read by JavaScript which could be crafted using this bug.

Although this is a significant flaw within Internet Explorer, we have made a work around to resolve this issue by scanning uploaded files for possible malicious code. If a file is found to contain code that should not exist, such as HTML or JavaScript in an image file, the upload will be denied.

The download packages for IP.Board as of this date have been updated to include the patch. To patch an existing installation of IP.Board 2.1.x or 2.2.x, download the appropriate patch file:

Version 2.1.x: http://forums.invisi...?...st&id=11582

Version 2.2.x: http://forums.invisi...?...st&id=11583

Simply upload the class_upload.php file for your appropriate version into the ips_kernel directory overwriting the existing file.


Source: Click Here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users