Welcome to DevFuse Forums
- Start new topics and reply to others
- Subscribe to topics and forums to get email updates
- Get your own profile page and make new friends
- Send personal messages to other members.
(View All Products)Featured Products
Help fund your forum with donations, setup goals and track member donations. Offer rewards for members donating.
Have your members submit their race times and share with others.
Allows your members to submit their own videos for community viewing. Support is included for all the major video sites.
Build your own forms for your members without coding experience. Support included for pm, email and topics.
Build a community database of items for your members. Full features custom fields included.
Invision Power Board 3.0.2 Security Update
Posted 18 August 2009 - 09:05 AM
It has come to our attention that there are two potential SQL injection vulnerabilities present in IP.Board 3.0 which can be taken advantage of via careful URL crafting.
The attached zip contains two files which fix the issue. The files are for IP.Board version 3.0.2 only. Those still running 3.0.0 or 3.0.1 will need to upgrade to 3.0.2 as soon as possible.
The main 3.0.2 download zip was updated at 10:15 am EST August 18, 2009. If you download 3.0.2 after this time: your files are already updated.
Simply download the attached zip file and upload the files contained within to your IP.Board directory on your server. No other action is required.
Support Note: While our technical support department will apply this patch for you on request for those with support service, we strongly suggest you apply this patch yourself whenever possible. Applying the patch is a simple matter of uploading files to your server and, once done, your community is instantly protected without having to wait for our technicians to do the upload for you.
3.0.2 versions downloaded before posted time or unpatched
The vulnerability information was purchased by Beyond Security's SecuriTeam Secure Disclosure. The discoverer of the vulnerability requested to remain anonymous. IPS thanks this group for bringing it to our attention.
Source: Click Here
Posted 18 August 2009 - 06:09 PM
Manual Patch Instruction
For power users who wish to manually update the PHP source files.
$search_term = str_replace( """, '"', IPSText::parseCleanValue( urldecode( $this->request['search_term'] ) ) );
Lines 75 and 439:
$in_validate_key = IPSText::md5Clean( trim( urldecode( $this->request['aid'] ) ) );
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users