Jump to content

Welcome to DevFuse Forums

Sign In  Log in with Facebook

Create Account
Welcome to DevFuse Forums, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of DevFuse Forums by signing in or creating an account.
  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members.
Guest Message by DevFuse

(View All Products)Featured Products

  • Donations

    Help fund your forum with donations, setup goals and track member donations. Offer rewards for members donating.
  • Timeslips

    Have your members submit their race times and share with others.
  • Videos

    Allows your members to submit their own videos for community viewing. Support is included for all the major video sites.
  • Forms

    Build your own forms for your members without coding experience. Support included for pm, email and topics.
  • Collections

    Build a community database of items for your members. Full features custom fields included.


Invision Power Board 3.0.2 Security Update

  • Please log in to reply
1 reply to this topic

#1 News Bot

News Bot

    Dedicated Member

  • Members
  • PipPipPipPipPip
  • 1,909 posts
  • IP.Board Version:N/A

Posted 18 August 2009 - 09:05 AM

Security Update for IP.Board 3.0.2
It has come to our attention that there are two potential SQL injection vulnerabilities present in IP.Board 3.0 which can be taken advantage of via careful URL crafting.

The attached zip contains two files which fix the issue. The files are for IP.Board version 3.0.2 only. Those still running 3.0.0 or 3.0.1 will need to upgrade to 3.0.2 as soon as possible.

The main 3.0.2 download zip was updated at 10:15 am EST August 18, 2009. If you download 3.0.2 after this time: your files are already updated.

Simply download the attached zip file and upload the files contained within to your IP.Board directory on your server. No other action is required.

 180809.zip (13.73K)
: 88

Support Note: While our technical support department will apply this patch for you on request for those with support service, we strongly suggest you apply this patch yourself whenever possible. Applying the patch is a simple matter of uploading files to your server and, once done, your community is instantly protected without having to wait for our technicians to do the upload for you.

Impacted Versions:
3.0.2 versions downloaded before posted time or unpatched

Not Impacted:

The vulnerability information was purchased by Beyond Security's SecuriTeam Secure Disclosure. The discoverer of the vulnerability requested to remain anonymous. IPS thanks this group for bringing it to our attention.

Source: Click Here

#2 Michael



  • Management
  • 3,532 posts
  • Gender:Male
  • IP.Board Version:IPB 3.4.x

Posted 18 August 2009 - 06:09 PM

RSS importer didn't get the second post, here are the manual patch instructions if needed.

Manual Patch Instruction
For power users who wish to manually update the PHP source files.

File: "admin/applications/core/modules_public/search/search.php"
Line: 207

$search_term = str_replace( """, '"', IPSText::parseCleanValue( urldecode( $this->request['search_term'] ) ) );

File: "admin/applications/core/modules_public/global/lostpass.php"
Lines 75 and 439:

$in_validate_key = IPSText::md5Clean( trim( urldecode( $this->request['aid'] ) ) );

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users