Topic: PunBB 1.2.20 and 1.3RC hotfix released

PunBB 1.2.20 and 1.3RC hotfix released today.

The XSS via the "p" GET parameter is fixed. Reported by Henry Sudhof.

The proof of concept:

userlist.php?p=2<script>alert('meh');</script>

Clicking the link like this results in the script execution: http://punbb.informer.com/forums/userli … /script%3E
This XSS doesn't work at PunBB Forums anymore as the hotfix has just been released and installed. As usual, PunBB 1.3RC administrators will see an alert (as soon as they log in to the forum) and will be able to install the hotfix with several clicks.

This bug cannot be used directly in PunBB 1.2, but can appear in mods using the page number set by PunBB: check your mods for the correct page number screening.

Visit Downloads page for the PunBB 1.2.20 packages and patches. Or get the latest revision from SVN trunk.

Carpe diem

Re: PunBB 1.2.20 and 1.3RC hotfix released

Updated smile

Darmowe forum - Polish free forum hosting

Re: PunBB 1.2.20 and 1.3RC hotfix released

changelog http://punbb.informer.com/download/chan … 1.2.20.txt => 404 roll

Re: PunBB 1.2.20 and 1.3RC hotfix released

compdocs2 wrote:

changelog http://punbb.informer.com/download/chan … 1.2.20.txt => 404 :rolleyes:

Fixed. Thanks! ))

Carpe diem

Re: PunBB 1.2.20 and 1.3RC hotfix released

i don't understand, so many files to update just to change copyright info. why its so important? i have many mods installed with punbb. i had to update every file manually. sad

Web developer (php/.net) Hardcore gamer :D

Re: PunBB 1.2.20 and 1.3RC hotfix released

sourabh wrote:

i don't understand, so many files to update just to change copyright info. why its so important? i have many mods installed with punbb. i had to update every file manually. sad

See this post

Carpe diem

Re: PunBB 1.2.20 and 1.3RC hotfix released

Anatoly wrote:
sourabh wrote:

i don't understand, so many files to update just to change copyright info. why its so important? i have many mods installed with punbb. i had to update every file manually. sad

See this post

hmm i got the point. one more thing...i updated 1.12.17 to 1.12.20. will this update have all the changes that were in 1.12.19 update?

Web developer (php/.net) Hardcore gamer :D

Re: PunBB 1.2.20 and 1.3RC hotfix released

sourabh wrote:

hmm i got the point. one more thing...i updated 1.12.17 to 1.12.20. will this update have all the changes that were in 1.12.19 update?

You mean you used the 1.217 to .20 patch. Yes, it must include all the changes: 1.2.17->.18->.19->.20.

Carpe diem

Re: PunBB 1.2.20 and 1.3RC hotfix released

Anatoly wrote:
sourabh wrote:

hmm i got the point. one more thing...i updated 1.12.17 to 1.12.20. will this update have all the changes that were in 1.12.19 update?

You mean you used the 1.217 to .20 patch. Yes, it must include all the changes: 1.2.17->.18->.19->.20.

i used this archive (http://punbb.informer.com/download/punb … _files.zip)

Web developer (php/.net) Hardcore gamer :D

Re: PunBB 1.2.20 and 1.3RC hotfix released

sourabh wrote:

i used this archive (http://punbb.informer.com/download/punb … _files.zip)

The same idea.
Though, it would be easier to you to apply the patch, if you have many mods installed.

Carpe diem

Re: PunBB 1.2.20 and 1.3RC hotfix released

Anatoly wrote:
sourabh wrote:

i used this archive (http://punbb.informer.com/download/punb … _files.zip)

The same idea.
Though, it would be easier to you to apply the patch, if you have many mods installed.

can u point me to the thread that gives more details about this?

Web developer (php/.net) Hardcore gamer :D

Re: PunBB 1.2.20 and 1.3RC hotfix released

sourabh wrote:

can u point me to the thread that gives more details about this?

Try this instruction for PunBB updates or this article for the general idea.

Carpe diem

13

Re: PunBB 1.2.20 and 1.3RC hotfix released

Fixed too~~~~. Thanks! ))

14

Re: PunBB 1.2.20 and 1.3RC hotfix released

Anatoly wrote:

This bug cannot be used directly in PunBB 1.2, but can appear in mods using the page number set by PunBB: check your mods for the correct page number screening.

Hi,

I'm sorry but I don't understand what you mean by "page number set by PunBB"
I am using some MODS so what do I need to search and change into my files ? can you be more explicit please ?

Regards.

Re: PunBB 1.2.20 and 1.3RC hotfix released

Isula wrote:

I'm sorry but I don't understand what you mean by "page number set by PunBB"
I am using some MODS so what do I need to search and change into my files ? can you be more explicit please ?

PunBB sets the $p (page number) variable from the GET-parameters.
If one of your mods uses this $p variable, it should do it's own checks for the value or at least force this variable to be integer.

Carpe diem

16

Re: PunBB 1.2.20 and 1.3RC hotfix released

Ok thanks,

With a little soft I did a search in my MODS's files and didn't find an $p variable, but maybe I do wrong... It's easy for me to search any word or line in any folder just with one clic so tell me if $p is enough or if I need to search something else... Thank you for your patience

P.S : the soft I use is free, helpfull and is named PRGrep

Re: PunBB 1.2.20 and 1.3RC hotfix released

Isula wrote:

With a little soft I did a search in my MODS's files and didn't find an $p variable, but maybe I do wrong... It's easy for me to search any word or line in any folder just with one clic so tell me if $p is enough or if I need to search something else...

Looks like it is all OK with your forum (regarding the possible issues related the forum's core).
(This is an example of where there was lack of value checks: http://punbb.informer.com/trac/browser/ … t.php#L128.)

Good luck.

Carpe diem

18 (edited by Isula 2008-11-05 09:32)

Re: PunBB 1.2.20 and 1.3RC hotfix released

Thanks Anatoly,

I complete my search with $_GET['p'] , ['p'] , $p = and didn't find nothing in my MODS so it's ok for me because I remember that I did the changes !is_numeric($_GET['p']) || when I updated my forum to 1.2.20

Thanks again...