2 replies to this topic

[visiblesoul]

I have collected information about the security patches for IPB 1.3. It looks like there were security patches issued that altered the following files. Download links provided if known.

Quote

sources/functions.php (12/16/03)
sources/Forums.php (12/16/03)
sources/calendar.php (2/1/04)
ssi.php (2/19/04)
sources/Search.php

index.php (?)
sources/Online.php (?)
sources/Admin/ad_member.php (?)

(?)= uncertain if these were released as individual patches.

sources/functions.php
sources/Forums.php

Matt@IPB Dec 16 2003, on 01:51 PM, said:

An update has been prepared to ensure security and safety of your Invision Power Board.

We have received notification of two minor issues that although require some URL crafting and a specific set of circumstances to occur we feel it's always best to address any and all issues to ensure the very best security.
The update is very simple to apply, simply go to the download center and download the "IPB 1.3 Security Update 12-16 (1.3)" package, unzip and upload "sources/functions.php" and "sources/Forums.php" overwriting the copies on your installation.

The main download files have been updated.

Download center
My thanks to those that contacted us in private about these issues.

sources/calendar.php

Matt@IPB Jan 3 2004, on 07:29 AM, said:

An update has been prepared to ensure security and safety of your Invision Power Board.

We have received notification of a minor issue that although require some URL crafting and a specific version of MySQL in use to occur but we feel it's always best to address any and all issues to ensure the very best security.

The update is very simple to apply, simply go to the download center and download the " 1.3 Security Patch 02-01-04" package, unzip and upload "sources/calendar.php" overwriting the copy on your installation.

The main download files have been updated.

Download center

ssi.php

Matt@IPB Feb 19 2004 @ 08:53 AM said:

It has come to our attention that there is an exploit in "ssi.php" which is distributed as part of the IPB 1.x download. This affects those running their IPB on MySQL 4+.

The main update package has been updated and all you need to do in order to update your board is download the attached file, unzip it and upload "ssi.php" to your board installation overwriting the copy on the server.

The attached file is for IPB 1.3 but should work with all 1.x versions.

Attached File(s)
Attached File ssi_feb04.zip ( 4.02k )
http://forums.invisi...howtopic=114715

search.php

Matt@IPB Mar 3 2004, on 09:11 AM, said:

It has come to our attention that a small vulnerability may exist in Invision Power Board v1.3. As always we take security very seriously and have released an update.

The update is very easy to apply. Simply download the attached ZIP file, uncompress and upload 'Search.php' into your 'sources' folder overwriting the original contained in your IPB installation.

Attached File search.zip ( 9.48k )

The main download zip has been updated.

The changed section of code can be found near the top of the file at line 125 (modified lines in bold).

Quote

$this->lib = new search_lib(&$this);

$ibforums->input['st'] = intval($ibforums->input['st']);

if ( $ibforums->input['st'] )
{
$this->first = $ibforums->input['st'];
}

//--------------------------------------------
// What to do?
//--------------------------------------------

if (! isset($ibforums->member['g_use_search']) )
{
$std->Error( array( LEVEL => 1, MSG => 'cant_use_feature') );
}

It looks like all available 1.3 patches are included in one zip on ibforen.

Peter@ibforen - BabelFish translation said:

Security update For IPB 1,3 v1.0 (2004-09-29)
Update ton ipb 1.3.1

Supporttopic


Compatibly with ipb 1.3Final, not ipb 1.3.1
Description

* Adds all changes of the version 1.3.1
* Is suitable only for the version 1.3

http://www.ibforen.d...showtopic=10191

[visiblesoul]

Matt@IPB Apr 1 2004 @ 03:39 PM said:

We've released Invision Power Board 1.3.1 to clear up any confusion with the recent security announcements surrounding Invision Power Board 1.3.

There have been a few minor security updates since the release of IPB 1.3 and we've updated the main download files and released separate patches but as we haven't updated the version number (largely to prevent anyone reading reports on Bugtraq and hunting out vulnerable boards based on version number) there is some confusion within the security community who have been re-reporting possible vulnerabilities long since fixed. This release acts as a 'clean slate'.

If you wish to make sure that you're up to date with your security upgrades, download Invision Power Board 1.3.1 from the link below and upgrade the suggested files:

- admin.php
- index.php
- sources/calendar.php
- sources/Online.php
- sources/Search.php

Download IPB 1.3.1 Now! (Link Broken)

[visiblesoul]

The latest security patches for IPB 1.3 and IPB 1.3.1 are available for download as mods by Peter on ibforen.de...


Security and Bug Update For IPB 1.3 v1.7.1 (2006-01-07)
http://www.ibforen.de/index.php?ind=downlo...ry_view&iden=44


Security and Bug Update For IPB 1.3.1 v1.5.1 (2006-01-05)
http://www.ibforen.de/index.php?ind=downlo...ry_view&iden=45