=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN164
_____________________________________________________________________

DATE                : 06/05/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running IP.Board versions prior to 3.4,
                        3.3, 3.2.

======================================================================
http://community.invisionpower.com/topic/385207-ipboard-32x-33x-and-34x-critical-security-update/
______________________________________________________________________


Posted 03 May 2013 - 03:21 PM



Security Update: 3rd May 2013

 A critical security issue has been reported to us which may allow
unauthorized access to an administrator account.  We are releasing a
security patch to address this issue. In the interest of allowing
customers ample amount of time to apply the patch, we are not
disclosing further details at this time.


Instructions

 We are providing a patch for IP.Board versions 3.4, 3.3 and 3.2. If
you are running a version less than 3.2 you should upgrade to get this
and other security enhancements.

 While IPS does not apply patches for you, patching is very easy:
 1.Identify the version of IP.Board you are running.
 2.Download and unzip the appropriate patch file below that matches
your version.
 3.Upload the contents of the extracted zip folder to your IP.Board
home directory
 4.If you have renamed your admin directory, then copy the files
manually to the appropriate admin folder.

IP.Board 3.4.x
  3.4.zip   76.46K   3350 downloads

IP.Board 3.3.x
  3.3.zip   70.88K   847 downloads

IP.Board 3.2.x
  3.2.zip   64.78K   411 downloads



Important Notes:
 •When you apply the security update, the bulletin in your AdminCP will
still display. We keep the bulletin in place for at least a week after
a security release.
 •Our main software packages accessed via the client area have already
been updated with this security update.
 •If you are an IPS Hosting client your community has been
automatically patched. No further action is needed.
 •As this is not a full upgrade but a simple upload a file and you're
done patch, IPS staff will not apply this patch as part of our support
services.



We would like to thank security researcher John JEAN for his
responsible disclosure of this issue to us.  His information is as
follows, and shared with permission:
 •Author: John JEAN
 •Twitter account: @johnjean
 •Occupation: Security researcher
 •Company: Wargan Solutions
 •Company's website: http://www.wargan.com

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================