IP.Board 3.0.x Security Patch Released

IPS

New Member
LV
0
 
A security issue has been discovered in IP.Board 3.0.x that could potentially allow a malicious user to insert JavaScript or other code into your community.

The damage this sort of attack can do is mitigated by IP.Board's use of HTTP-only cookies and other security measures.

As part of our continued dedication to security enhancement, we are releasing a simple patch for IP.Board 3.0.5 to address this issue. If you are running IP.Board versions less than 3.0.5 simply upgrade your software version. Note that this issue does not exist in IP.Board 3.1.0 Beta 2 and beyond.

<b>Download Patch</b>

Simply upload the attached file to: admin/sources/classes/bbcode/custom/defaults.php

<a href="http://community.invisionpower.com/index.php?app=core&module=attach&section=attach&attach_id=23454" target="_blank"><img src="http://community.invisionpower.com/public/style_extra/mime_types/zip.gif" border="0" class="linked-image" /></a>
<a href="http://community.invisionpower.com/index.php?app=core&module=attach&section=attach&attach_id=23454" target="_blank">defaults.zip</a> <b>(9.67K)</b>

: 35



<i>The main 3.0.5 download zip has been updated as of this date.</i>


<a href="http://community.invisionpower.com/topic/310713-ipboard-30x-security-patch-released/" target="_blank"><b>Читать дальше...</b></a>
<a href="http://translate.google.com/translate?u=http://community.invisionpower.com/topic/310713-ipboard-30x-security-patch-released/&langpair=en%7Cru" target="_blank"><b>Перевод...</b></a>
 
ыыы собственно фикс оттуда:
admin/sources/classes/bbcode/custom/defaults.php
в строке 1839 линии найти:
<!--c1--><div class='codetop'>Код</div><div class='codemain'><!--ec1-->$this->cache->updateCacheWithoutSaving( '_tmp_bbcode_media', $existing );<!--c2--></div><!--ec2-->

ниже добавить:
<!--c1--><div class='codetop'>Код</div><div class='codemain'><!--ec1-->&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//-----------------------------------------
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// XSS check
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//-----------------------------------------
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if( !IPSText::xssCheckUrl( $content ) )
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return $content;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<!--c2--></div><!--ec2-->

Патч только для версии 3.0.5... версии ниже просят обновить, а версия 3.1.0 не нуждается в патче...
 
Сверху