IPS Community Suite 4.1.9

Released 03/21/2016

This is a security release and we recommend all clients upgrade as soon as possible.

Key Changes

This release fixes reported issues from clients in our bug tracker and support tickets and adds refinement to existing features.

New or Changed Features

  • When your link auto-embeds in a post such as with an image, YouTube video, Twitter link, etc. an option will now display to revert the embed back to a plain text link if you do not want the embed.
  • New setting to disable embedding.
  • Facebook/Twitter integration improvements
  • If you are an administrator and encounter a system error, additional debug output will now display. Regular members will see the normal error message.
  • Custom Fields for Support Requests in Commerce now show on the front-end.
  • If an advertisement is set up with a main image, but not smaller images for tablets/mobiles, the ad would not show at all on tablets/mobiles. This has changed so the main image will display on all devices unless smaller images are provided.
  • Topics scheduled to automatically lock or unlock will now reflect this in the topic listing and when viewing the topic.
  • Placing a link to a Facebook status will embed when possible.
  • When viewing a report, the container (for example, the forum) the content is from is displayed.
  • Three character searches are now allowed in the Admin CP Live Search.
  • The Account Settings page now uses vertical rather than horizontal tabs to prevent overflow.
  • If Gravatar is enabled, and a user has not defined an profile photo, then their email address will be used to fetch from Gravatar unless explicitly set not to.
  • Gfycat embeds now use their oEmbed endpoint rather than their JS API.
  • Using Amazon CloudFront as https provider will now be recognized as valid secure connection.
  • The member REST API endpoint will now return custom fields.
  • The Developer Center for Plugins now shows the filename in the list of hooks, and when editing a hook, a breadcrumb includes a link back to the list.
  • Inline notifications can now be dismissed
  • Efficiency improvements to the search index
  • You can now close a poll independently of the topic

 

Important Fixes

In addition to dozens of smaller fixes this release includes fixes for the follow items that impacted many clients:

  • Several security enhancements.
  • The posting parser has been made more efficient.
  • Some BBCode does not parse correctly in version 4 and we have applied some fixes for this. In general BBCode is deprecated so we only provide basic support.
  • Sitemaps could sometimes be blank if there was no content in a specific section.
  • Certain URLs from version 3 were not redirecting properly to the new version 4 format.
  • The timezone detection is now more robust and will more gracefully fail if it cannot determine a visitor's timezone.
  • Permission matrices have been reworked to send less data to prevent exceeding server limitations.
  • Decimal handling has been reworked in Commerce for more precise calculations.
  • The database class now handles InnoDB deadlocks more gracefully, and some queries have been changed to reduce the likeliness of deadlocks.
  • Performance improvements to areas which perform large updates on the members table (for example, when editing permissions).
  • Pages 'number' custom fields previously had an upper limit for submitted values around 2 billion.
  • Multiple fixes for tag searching

Additional Information

Security Enhancements:

  1. Some potential issues have been brought to our attention with MD5 checks within the suite, including:
     
    1. In very specific situations, it can be possible to trick certain MD5 checks in to passing when the supplied MD5 hash does not actually match.
    2. Due to the way PHP compares strings, it is theoretically be possible under very controlled conditions to brute-force certain MD5 checks by measuring the response time.
    3. When logging out or changing one's password, the key used to automatically authorize a user on subsequent visits was not appropriately reset, meaning if someone had access to a machine you had previously logged in on (but not logged in again since you logged out), it may have been possible to reclaim the session.
    4. In addition to the above, we have also added additional entropy to the generation of certain hashes.

    While these issues are mostly theoretical in nature, they have been addressed in 4.1.9. We would like to thank Ian Carroll for bringing these issues to our attention. We do not use MD5 hashing as part of our password checking so none of these issues apply to the method used for password encryption. 
     
  2. We have resolved an XSS vulnerability. Though we employ techniques to limit the damage possible with XSS vulnerabilities, they can be used to cause annoyance and for social engineering attacks. We would like to thank LinusMediaGroup for bringing this issue to our attention.
     
  3. We have added noopener and noreferrer to the rel attribute on outgoing links to alleviate certain types of social engineering attacks.
     
  4. We have resolved an issue where under certain circumstances users could delete attachments without permission. We would like to thank https://www.malwarebytes.org/ for bringing this issue to our attention.


Activity Stream Improvements

The activity stream has a new toggle and filter bar that replaces the "Edit Form" link. It is now faster and easier to customize existing streams and to change the filtering options without having to create new streams.

Content I Started - IPS Community Suite 2016-03-09 ct42d.png

 

Example of "un-embed" option

screen_shot_2016-02-15_at_11.52.21.png

 

Facebook/Twitter integration improvements

  • If signed in with Facebook or Twitter, when posting a status update, a checkbox to share on these services appears instead of the old setting to export statuses in the account settings panel. This change ensures IPS4 conforms with Facebook's Terms & Conditions and will pass Facebook's App Review.
  • When setting up Facebook integration, a new setting allows disabling status imports so you do not need to go through Facebook's App Review if you only want to allow users to sign in with Facebook and not integrate with status updates.
  • When setting up Facebook or Twitter integration, the setting to allow automatic sharing is shown in addition to in the sharing settings so it is easier to enable this feature.
  • Facebook integration has been updated to use their latest API endpoints.

A new guide will be available after 4.1.9's release to explain in detail how to go through Facebook's App Review process