IPS Community Suite 4.1.11

Released 04/23/2016

This is a security release and we recommend all clients upgrade as soon as possible.

Key Changes

This is a small maintenance release to fix a few issues reported in 4.1.10. In addition to bug fixes and performance improvements, it includes following new/changed features:

  • Integration with SparkPost replaces Mandrill for optional email service as Mandrill is stopping their current service toward the end of April.
  • Questions in Question and Answer forums can now be sorted by most votes.
  • The "All Activity" activity stream now has an RSS feed.
  • The filter bar at the top of the activity stream no longer sticks to the stop of the screen when scrolling.
  • If you receive a browser notification your notification menu will now reload to get the latest notification.
  • More consistent visual feedback when a post submit or edit is processing to reduce duplicates.
  • Sidebar widgets now how rounded corners to match rest of Suite.
  • Recaptcha style is now a per-theme setting.
  • You can now set which theme should be the default for the AdminCP separate to which should be the default for the front-end.

 

Important Note

This is the last release that will support PHP 5.4 as it is end of life and no longer supported by PHP.

Please also note that PHP 5.5 goes full end of life in July 2016 so you should look into upgrading if your web host is using outdated versions. We will not immediately stop supporting PHP 5.5 in July but it may follow soon after.

Additional Information

Important Fixes

In addition to many smaller bug fixes and performance improvements, the following important fixes are included:

  • Guests were able to create streams.
  • Logging into the AdminCP using Microsoft Sign In wasn't working.
  • Pas were missing from the report center.
  • In some circumstances, "0" would be removed from post content.
  • MySQL 5.7 could throw an error when trying to clear out sessions.
  • A recent Chrome update caused ACP search results to not display.
  • Replying to support requests on an iPad wasn't working in some circumstances.

 

Security Fixes

We are engaging in a third-party security audit of IPS Community Suite so you can expect the next few releases to contain a lot of security hardening. Many of these issues are not critical but we do still want to get the updates to you. This release includes fixes for several security issues:

  1. Several CSRF vulnerabilities - most importantly on the process for associating OAuth sign-ins (Facebook, Twitter, etc.) with an account, meaning a malicious user could associate their own OAuth sign-in with another user's account.
  2. A session-hijacking vulnerability where after a login key is reset (such as after a password) since a new key is not immediately generated, the account was vulnerable to hijacking until they sign in again.
  3. A bug which meant the names of forums or other nodes a user did not have permission to access may have been exposed by accessing a particular URL.
  4. Several XSS vulnerabilities meaning if a malicious user could convince another user to perform particular steps, limited arbitrary JavaScript could be executed.
  5. A vulnerability where if using the "Download Member List" feature and opening the file with certain applications, malicious user data could cause expressions to be evaluated.

And several security improvements:

  1. Any existing sessions for a member are now cleared if they change their password, meaning users signed in on multiple devices will need to sign in again after a password change.
  2. A more secure hash generation algorithm is now used for login keys. 

 

Information for 3rd party developers

  • ModCpMemberManagement can now return NULL to not display the tab.
  • CKEditor has been updated to 4.5.8.