Security warning system faulty?

[Washerhelp]

Either something's wrong with the security patch notification system or it's totally misleading.

I logged into my control panel just now and got the following warning

IP.Board Bulletin
It has come to our attention that a security issue is present in IP.Board. We strongly recommend that you follow the link below for instructions on how to patch your community if you have not already done so.

I immediately downloaded the correct patch (V 3.3.4) and uploaded the new file to /admin/sources/base whereupon the message disappeared when I refreshed the page. Very pleased with myself I was just about to move on when seconds after disappearing the warning re-appeared.

Bugger, I thought, I must have done something wrong. So I double checked everything and replaced the file again. Same thing happened, so this time instead of overwriting the file I deleted it first, then uploaded the new one but the warning still reappeared.

After triple checking everything I had to conclude either the new file hasn't fixed the security issue - or (more likely) the warning is not actually detecting I have the vulnerable file at all and just blindly repeating the warning despite it being fixed by me.

Is the warning system faulty?
Is the file not fixing the issue?
Or is it simply that the warning appears to users as though it's detected the vulnerable file but in fact it's no idea and is just slavishly reporting the issue oblivious to the fact it's being sorted?

[Ryan Ashbrook]

Applying the patch does not cause the warning to go away - that's actually something we control here at IPS.

You may have hit a point where the message was being re-cached local to your site, which could potentially cause it to not show briefly (though, I'm not sure if the message is actually cached to your local board or not - that's just an assumption because the News Feed is cached).

[Washerhelp]

Thanks for your reply Ryan. When I refresh the page, or revisit the dashboard from elsewhere, the page loads without the message and the message appears after about a 1 second delay. This gives the impression the dashboard is checking which version of the file I have and reporting on it.

If the message is just automatically blasting out the warning unaware if the security issue has been fixed or not surely it should contain information that this is the case? Otherwise why wouldn't many people become confused and wonder if they've applied the right patch or if something's gone wrong?

The message should either say it has detected the board is running with the vulnerable file, or it should say after the warning, "You can ignore this warning if you have already updated the file".

Andy

[MisterPhilip]

+1 for the next time this happens to use "You can ignore this warning if you have already updated the file".

[Michael]

The message should either say it has detected the board is running with the vulnerable file, or it should say after the warning, "You can ignore this warning if you have already updated the file".

Andy

It does:

We strongly recommend that you follow the link below for instructions on how to patch your community if you have not already done so.

Since you have done so, the message indicates you have nothing else to do.

[Washerhelp]

Hi Michael. I can see how technically it can mean that, I think it isn't really that clear. As ip.board is capable of checking files (as it does with many of the security tools) it isn't clear enough that the system isn't reporting the security issue because it's detecting the vulnerable file version - especially as the message only appears after a second or so which gave me the impression it was checking.

It would be a big improvement if the warning was much clearer in declaring it is just an automatic (dumb) warning that will continue to warn even when the security fix has been carried out.

[GreenLinks]

We should have ability to dismiss those notices imo

[Hexsplosions]

We should have ability to dismiss those notices imo

I wouldn't suggest they do that at all. I wonder how many admins (not saying you, just in general) will dismiss a message and then scream foul play when they've not done what they should have and get hacked? It's a notification in the admin panel which is not visible to members, so dismissing it serves no genuine purpose.

I do agree, however, that the wording should be more clear. Not all IPS customers speak English as their primary language (and even some who do may not understand that wording).

It has come to our attention that a security issue is present in IP.Board. We strongly recommend that you follow the link below for instructions on how to patch your community. If you've already done this you can just ignore this message.

That really is far clearer. Alternatively...

It has come to our attention that a security issue is present in IP.Board. If you haven't already done so, you can follow the link below for instructions on how to patch your community.

[bfarber]

The warning system is a static message system. The dashboard makes a call to our server and if we have an open message to show, it downloads and shows it. There is no way to check file versions and other similar things (easily) with this type of setup. Additionally, it can be used for things other than alerting the admin that a security patch is available.

We can certainly try to clarify the wording with future messages to prevent confusion.

[Washerhelp]

Yes clarification would be a good compromise. I'm definitely not stupid and I got confused. People are often busy and scan messages for the gist of it.

I don't agree that you can't allow such messages to be dismissed though. People don't need that amount of mollycoddling. If they are responsible enough to be running and controlling a forum, with all the complicated settings and decisions to make then they are more than capable of dismissing a message. If possible an "Are you sure" confirmation window requiring a second click should be enough. It seems a blunderbuss approach to display a message for potentially weeks after the user has fixed the problem. Also, what if they start to tune it out and another important message needs bringing to people's attention and they don't read it?