15 replies to this topic

[Hydrogen]

I have applied the latest IPS security update. We are now secure from this exploit. Here is a description of the security update and what exactly was changed:

Security Update

This post outlines the steps required to update your IPB 2.1.x for this security update.
If you've downloaded IPB 2.1.6 since the time of this post, there is no need to update your installation as the main download has been updated.

It has come to our attention that due to a flaw in the way Internet Explorer handles urlencoded data in URLs, it's possible to craft a malicious URL when adding an avatar to cause an XSS (cross site scripting) vulnerability where, at worst, cookie data can be taken. Additionally, an unrelated flaw may allow moderators to moderate forums that they do not have permission to moderate.

Solution
To prevent further attacks of this kind, we've increased security by checking any URL that is likely to be inserted in an <img> tag.

This security update has a full version number of: 21012.60629.s.
Please read our KB article on how to locate your full version number.

Enjoy .

[ShadowLink64]

Nice job Hydro, didn't even notice that IPS released another patch.

[Raui]

Well done Staff. Wooo !

[Ender]

Wow, do they have an update notification thing or something?

[Hydrogen]

Wow, do they have an update notification thing or something?

They do in acp, but i also subscribe to their rss feed

[sockopen]

Thanks for installing the security update Cataliste, your hard work is always appreciated.

[Warlord]

More behind the scenes work.... good job guys

[Eeyore]

Whoot!! Good to know things are all secure . Well done staff and anyone else that might have helped *covers all stops*.

[dolphinbomb]

Thanks for installing the security update Cataliste, your hard work is always appreciated.

You pretty much said the same thing last time, too

[Cataliste]

Way to be ontop of it Sockopen. Considering you found this flaw months ago, and ShadowLink patched it months ago.

Way to be on the ball Sock.

[Ender]

Um... am I missing something?

[Martin]

Good job staff! ~pats on on back~ Codex is now better protected!

[Cory]

Um... am I missing something?

QFE!!!


I said that a few weeks back.

[Cataliste]

What are you misisng? Sockopen pointed this thing out months ago and SL supposedly patche dit....

[sockopen]

Oh yea, I thought I reported this exact problem to ShadowLink like months ago.

[ShadowLink64]

Oh yea, I thought I reported this exact problem to ShadowLink like months ago.

Meh, I couldn't figure out how to restrict dynamic images but keep normal ones. Extensions wouldn't work or something.