Topic: PunBB 1.2.2

Today brings the release of PunBB 1.2.2. This release has been made primarily to deal with a number of security vulnerabilities in PunBB 1.2/1.2.1. PunBB 1.2.2 fixes a number of SQL injection vulnerabilities in register.php, profile.php and moderate.php (posted to Bugtraq a few hours ago) as well as a file disclosure vulnerability in admin_loader.php. On top of this, a small number of non-security related bugs have been adressed. PunBB 1.2.2 is a recommended upgrade for everyone.

It should be noted that PunBB 1.1.* might very well be affected by some of these vulnerabilities as well, so if you're still running PunBB 1.1.*, I recommend that you at least apply the fixes in changeset 101.

I would like to thank Smartys for reporting the admin_loader.php bug and giving me time to fix it. I would also like to thank John Gumbel for reporting the other vulnerabilities even though I would have preferred more than ~20 minutes to release a bugfix version prior to the Bugtraq posting wink

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.2

Damn... I just modded 1.2.1, thinking it'd be a long while until the next update. Oh well.

3 (edited by lament 2005-02-24 23:03)

Re: PunBB 1.2.2

ha me too.  but i think i'll upgrade right now.

Rickard does this affect your News Module plugin (that i was just going to install) or RSS feeds?

Re: PunBB 1.2.2

lament: Nope.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

5 (edited by lament 2005-02-24 23:08)

Re: PunBB 1.2.2

can you be in maintenance mode while upgrading?

Re: PunBB 1.2.2

Sure.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.2

worked like a champ. thanks!

now off to install the news mod..

Re: PunBB 1.2.2

I just did it wink

thanks, it's very easy.

I explain to the "frenchies" how to do it here: http://punbb.org/forums/viewtopic.php?id=6466

Re: PunBB 1.2.2

No problem Rickard, always a pleasure to help out smile

10 (edited by hcgtv 2005-02-25 01:00)

Re: PunBB 1.2.2

Upgraded to 1.2.2 - copied over changed files, ran the upgrade script.

All okiedokie smile

Thanks Rickard.

11 (edited by Bassguy 2005-02-25 01:57)

Re: PunBB 1.2.2

It seems to have removed my link to my Private Messages, but that's nothing a little "additional menu items" won't fix.

Otherwise, it worked perfectly.

Re: PunBB 1.2.2

You probably dont want to do that.

Follow the directions from the installer for header.php.

If you dont you wont see the 'There are new messages' link.

Indocron
$theQuestion = (2*b) || !(2*b);

13 (edited by Ataxy 2005-02-25 04:06)

Re: PunBB 1.2.2

ok i have updated my forum to the v1.2.2 the installation went smooth except that now when i load my forum i get this appearing at the top of it but it still loads

Notice: Undefined index: o_additional_navlinks in /home/vhost/d-vault.peerforces.com/html/forum/include/functions.php on line 271

i dont know if someone can shine some light on whats the problem

Re: PunBB 1.2.2

you have to go to 1.2.1 before going to 1.2.2 i think?

it looks like the 1.2.2 install works on 1.2 but it shouldn't

15

Re: PunBB 1.2.2

so if i edit all the files manualy will i then be able to run the update script?

-gezz

Re: PunBB 1.2.2

Oh man. I'm such a moron!

gezz: You need to do the following:

1. Run the following query: INSERT INTO config (conf_name, conf_value) VALUES('o_additional_navlinks', NULL);
2. Delete the php scripts in the cache folder.

That should do it. If you use a table prefix, you should put that in front of "config" in the query above.

I will fix this as soon as I get back from work.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

17

Re: PunBB 1.2.2

ok thx rickard next question is for connord i have the database plugin and i am trying to run this query:

INSERT INTO config (conf_name, conf_value) VALUES('o_additional_navlinks', NULL);

but ounce i submit the query i always get a page telling me:

SQLerror

also rickard do i delete all the php scripts that are in the cache or some in particular

Re: PunBB 1.2.2

What does the SQL error say?

You can delete all PHP scripts in the cache folder.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

19

Re: PunBB 1.2.2

ok all i get is SQLerror
http://www.sitesled.com/members/ataxy/sqlerr.JPG

i have also noticed that in the administrator/option/Additional menu item section of my forum there is this html code in the box

<br />
<b>Notice</b>:  Undefined index:  o_additional_navlinks in <b>/home/vhost/d-vault.peerforces.com/html/forum/admin_options.php</b> on line <b>468</b><br />

Re: PunBB 1.2.2

if you are running it through the db plugin try this

INSERT INTO #__config (conf_name, conf_value) VALUES('o_additional_navlinks', NULL);

21

Re: PunBB 1.2.2

thx connord it work perfectly
and thx rickard for such a great forum

22 (edited by gezz 2005-02-25 22:37)

Re: PunBB 1.2.2

Rickard wrote:

Oh man. I'm such a moron!

gezz: You need to do the following:

1. Run the following query: INSERT INTO config (conf_name, conf_value) VALUES('o_additional_navlinks', NULL);
2. Delete the php scripts in the cache folder.

That should do it. If you use a table prefix, you should put that in front of "config" in the query above.

I will fix this as soon as I get back from work.

im updating from 1.2.1 so theoreticaly couldnt i just use the install script? the reason why i want to manualy update is because i dont want to loose all my mods and layout changes

-gezz

Re: PunBB 1.2.2

the install script just changed the version number for 1.2.1 to 1.2.2 i think

Re: PunBB 1.2.2

There, now the update script has been, well, updated smile Instead of limiting it to updates from only 1.2.1, I made it work with both 1.2 and 1.2.1.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

25

Re: PunBB 1.2.2

okay, now im just confused... what exactly do i have to do to go from 1.2.1 to 1.2.2 manualy? (as in edit the files by hand)

-gezz