Security Update: 3rd May 2013
A critical security issue has been reported to us which may allow unauthorized access to an administrator account. We are releasing a security patch to address this issue. In the interest of allowing customers ample amount of time to apply the patch, we are not disclosing further details at this time.
We are providing a patch for IP.Board versions 3.4, 3.3 and 3.2. If you are running a version less than 3.2 you should upgrade to get this and other security enhancements.
While IPS does not apply patches for you, patching is very easy:
- Identify the version of IP.Board you are running.
- Download and unzip the appropriate patch file below that matches your version.
- Upload the contents of the extracted zip folder to your IP.Board home directory
- If you have renamed your admin directory, then copy the files manually to the appropriate admin folder.
- When you apply the security update, the bulletin in your AdminCP will still display. We keep the bulletin in place for at least a week after a security release.
- Our main software packages accessed via the client area have already been updated with this security update.
- If you are an IPS Hosting client your community has been automatically patched.
- As this is not a full upgrade but a simple upload a file and you're done patch, IPS staff will not apply this patch as part of our support services.
We would like to thank security researcher John JEAN for his responsible disclosure of this issue to us. His information is as follows, and shared with permission:
- Author: John JEAN
- Twitter account: @johnjean
- Occupation: Security researcher
- Company: Wargan Solutions
- Company's website: http://www.wargan.com
The update files for each version of IPB have been attached to this thread for your convenience.
You may view the official thread on IPB forums at http://community.invisionpower.com/topic/385207-ipboard-32x-33x-and-34x-critical-security-update/