Jump to content
InvisionCommunity.de - Der Deutsche Invision Community Support
Sign in to follow this  
Followers 0
IPBSupport News

[IPS] IPB 2.1.7 Security Update (Low Risk)

By IPBSupport News, in Neuigkeiten und Ankündigungen IPS

Recommended Posts

IPBSupport News    8

IPBSupport News
Posted

IPB 2.1.x Low Risk Security Update

It has come to our attention that a relatively low risk XSS attack can be performed on an administrator in IPB 2.1.x. For this XSS attack to take place, the malicious user must store an avatar on their server that appears to be a legitimate image file but is actually a script that is set to redirect the browser to another location. The administrator must have 'root' access and must load the avatar in the ACP by searching for the member in the ACP's "Search Member" form.

Even though the XSS attack requires a very specific sequence of events, we consider that it's worth performing this security update. The security update is only a single ACP file which removes the user's avatar from displaying in the search results page. IPB 2.2.0, currently nearing release candidate status has increased security in the ACP which means this attack would not be successful.

To update your installation, simply download the attached file and upload the file "sources/action_admin/member.php" over the one currently used by your installation.

Quelle: http://forums.invisionpower.com/index.php?showtopic=227937

Share this post

Link to post

IPBSupport News    8

IPBSupport News
Posted

Manual Update Instructions

Edit the file 'sources/action_admin/member.php'. Line 3456

$joined = $this->ipsclass->get_date( $r['joined'], 'JOINED' );


            $people .= <<<EOF

                        <td width='{$td_width}%' align='left' class='$class'>

Add above it:

$avatar = "<img src='{$this->ipsclass->skin_url}/images/memsearch_head.gif' border='0' />";


            $joined = $this->ipsclass->get_date( $r['joined'], 'JOINED' );


            $people .= <<<EOF

                        <td width='{$td_width}%' align='left' class='$class'>

IPB 2.1.7 Security Update - Medium Priority

It has come to our attention that due to the way some browsers interpret image tags a vulnerability exists which allows a malicious user to perform an XSS attack by forcing an "onerror" event in the snapback tag.

To update your board, simply download the attached ZIP file, unarchive it and upload 'sources/classes/bbcode/class_bbcode_core.php' over the one on your server. If you wish to patch your board manually, please read the second post in this announcement.

The main download has been updated as of the time of this announcement.

Note: IPB 2.2.0 (all versions) are NOT affected by this vulnerability.

Manual Patch Instructions for "sources/classes/bbcode/class_bbcode_core.php"

Function "regex_check_image", line 924:

Change:

$default = "[img=".$url."]";
To: 
$default = "[img]".str_replace( '[', '&# 091;', $url )."[/img]";
Change: 
if ( preg_match( "/[?&]/", $url) )
To: 
if ( preg_match( "/[?&\<\[]/", $url) )
Function "post_db_parse_bbcode", Line 486 Change: 
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
To: 
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );


if ( $row['bbcode_tag'] == 'snapback' )

{

	$match[2][$i] = intval( $match[2][$i] );

}

Share this post

Link to post
Sign in to follow this  
Followers 0
Go To Topic Listing Neuigkeiten und Ankündigungen IPS
×