Archive For April, 2007

Possible XSS Issue Addressed in IP.Board

It has come to our attention that a bug in Internet Explorer 6 and 7 can allow an XSS (cross-site scripting) attack by forcing uploaded image and PDF files to run as HTML which could allow an attack to run code through a user’s browser. It should be noted that the XSS damage is significantly mitigated by the “HttpOnly” cookies which were introduced in IP.Board 2.2.0. This means that sensitive cookies in IP.Board 2.2.0 and higher cannot be read by JavaScript which could be crafted using this bug.

Although this is a significant flaw within Internet Explorer, we have made a work around to resolve this issue by scanning uploaded files for possible malicious code. If a file is found to contain code that should not exist, such as HTML or JavaScript in an image file, the upload will be denied.

The download packages for IP.Board as of this date have been updated to include the patch. To patch an existing installation of IP.Board 2.1.x or 2.2.x, download the appropriate patch file:

Version 2.1.x: http://forums.invisionpower.com/index.php?act=attach&type=post&id=11582

Version 2.2.x: http://forums.invisionpower.com/index.php?act=attach&type=post&id=11583

Simply upload the class_upload.php file for your appropriate version into the ips_kernel directory overwriting the existing file.

Somebody with way too much free time is pretending to work for eXtremepixels via AIM. If you see somebody with the screen name *ExtremePixelsRep *ignore them. I’d even suggest blocking them all together.

Nobody from eXtremepixels uses AIM for support as the support area is located right here in…

Welcome to IP.Board 2.3.0 Testing

We have applied IP.Board 2.3.0 to our company forums to begin testing the system under load. This new version of IP.Board contains:

• New URL skin mapping - ability to apply a skin based on the URL a visitor is viewing
• Bug Fixes
• Performance Enhancements
• Changes to better integrate with IP.Converge

The key focus on IP.Board 2.3.0 is performance improvement and of course we take advantage of every release to fix minor bugs discovered since the last release.

As most changes to the software are at a lower level, IP.Board 2.2 series skins will work on 2.3.0 without having to revert your skin templates. There are some bug fixes in some skin areas but unless you are experiencing problems there is no need to revert your skin templates. More details on what has changed in the skins and a complete list of fixed bugs will be available at release time. We expect most third-party modifications that worked on the 2.2 series will work with little if any changes in 2.3.0 version.

As per our usual release process, we will test IP.Board 2.3.0 here on our company forums until all upgrade issues are resolved, our beta testing group reports in, and our staff is comfortable with a public release. We expect this process to last one to two weeks.

More updates forthcoming. Thank you for your feedback.

Note: Please clear your browser cache if you experience any JavaScript issues.

Invision Power Servcies is now using IP.Converge

IP.Converge allows a single authentication to be used across the forums as well as the client area, therefore providing easy access to all our client areas. The customer client area will be available via Converge tomorrow.

Please be reminded that the IP.Converge application requires the user’s email address as the login method.

If you are having problems logging out please either try from Converge or use the delete cookies set by this board link.