04-25-2014 10:38 AM
Invision Power Services (IPS) has released security patches for IP.Board 3.3.x, IP.Board 3.4.x and IP.Nexus 1.5.x. The patches fix three file inclusion issues and a cross-site scripting (XSS) vulnerability.
The file inclusion flaw can be exploited on certain PHP configurations through some of the files designed to run from the command line. An expert who uses the online moniker sijad has privately reported the issue to IPS.
As far as the XSS vulnerability is concerned, it appears that an attacker can direct users to a page that can trigger an XSS attack. Social engineering is needed to pull off the attack. The security hole has been reported by Christian Schneider.
The patches are applied automatically for IPS Community in the Cloud customers running version 3.3 or above of IP.Board. Other users can update their installations by downloading the patch files and uploading them to their forum servers.
On March 6, IPS published IP.Board 3.3.x and IP.Board 3.4.x patches to address a total of three XSS vulnerabilities. Before that, security updates were released on January 15 (for IP.Gallery) and December 13, 2013.