Topic: PunBB 1.2.9

Just a quick note this time. This release is a very small update that fixes an SQL injection vulnerability in search.php that is exploitable in PHP environments with register_globals enabled. Beginning with 1.2.9, PunBB also implements a method for reversing the effects of register_globals (thanks Stefan Esser!). What this means is that register_globals should no longer be a problem. If a variable is instantiated as a result of register_globals being enabled, it will be unset by PunBB. Yay! Something to note about this new mechanism is that if you have integrated your PunBB install with other code, for example by including PHP code in your templates, that code must be able to function properly with register_globals disabled. If it does not, you will have to temporarily disable the call to unregister_globals() in include/common.php until you can update your code.

Thanks a lot to "Devil_box of KAPDA" for posting an advisory on the SQL injection without even notifying me of it. Much appreciated! sad Proper thanks go out to Paolo Gabrielli for telling me about the advisory. Someone else posted a topic in the forums about the advisory, but I deleted it. Please e-mail security related information to security @ this domain.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.9

Ok, I'll do that from now on, I just thought that you guys should know tongue

Good to know it helped (and you noticed it much faster through me posting in on the forum than if you were scouring the security boards). Now you have to change the Announcement once again - and realise that there's nothing left after 1.2.9 except 1.3 wink

Re: PunBB 1.2.9

IdleFire wrote:

there's nothing left after 1.2.9 except 1.3 wink

What about 1.2.10 then? smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

4

Re: PunBB 1.2.9

You Copy PhpBB smile

5

Re: PunBB 1.2.9

Hmmm.... what about 1.2.9.1 ?)))

Hm... every pixel has it's own destiny

Re: PunBB 1.2.9

How about changing the Announcement box to reflect the new version of PunBB?

Re: PunBB 1.2.9

CodeDuck wrote:

How about changing the Announcement box to reflect the new version of PunBB?

I was just about to dammit smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.9

lol My first update! Hope it works out well (newbie, you see).

Parimal Satyal - Powermetal from Nepal

Re: PunBB 1.2.9

Thank you for this fast update , Rickard.
Patching is my will , just do it smile

Re: PunBB 1.2.9

This is amazing! I never thought updating would be so easy... Rickard, I must say, PunBB is awesome! So fast, customizable and... easy. I'm sure this is a easy update, but I'm proud: http://www.powerofmetal.net/forum/ wink

Thanks!

Parimal Satyal - Powermetal from Nepal

Re: PunBB 1.2.9

Upgraded using the DIFF.
Flawless! Whee!

Re: PunBB 1.2.9

I got a problem with the 1.2.9 with my own plugin ...
To still use my plug-in, i have to comment in common.php :

// Reverse the effect of register_globals
if (@ini_get('register_globals'))
    unregister_globals();

If someone can explain me why ...

Re: PunBB 1.2.9

fpouget: We'd have to see the code to see what's wrong with it. Maybe you should start out by reading a bit about register_globals.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

14 (edited by creaturecorp 2005-10-16 20:05)

Re: PunBB 1.2.9

What if we've modded our punbb to death so it's hardly recognizable as punbb? It would be wiser to update manually, correct?

I don't HAVE a signature, ok?

15

Re: PunBB 1.2.9

I just upgraded to 1.2.9 myself. So far so good. smile

Re: PunBB 1.2.9

creaturecorp wrote:

What if we've modded our punbb to death so it's hardly recognizable as punbb? It would be wiser to update manually, correct?

Yes, use the hdiff or patch it using the diff.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

17

Re: PunBB 1.2.9

I use Beyond Compare: http://www.scootersoftware.com/

It's been an invaluable tool for making changes to my online sites and comparing CVS changes, etc.

If you make mods, this will let you compare your sources side by side and let you move over your changed lines to the new sources.

Download a trial and check it out, worth the money.

Re: PunBB 1.2.9

Arcane way of doing things. One really needs plugins.

Re: PunBB 1.2.9

hello, me again. I am currently running 1.2.7 so do I need to upgrade first to 1.2.8 then to 1.2.9 or can I go straight to 1.2.9?

Re: PunBB 1.2.9

What's "diff"? I'll go on a search for these tools for Mac now... seems I'll need it for later.

Parimal Satyal - Powermetal from Nepal

21

Re: PunBB 1.2.9

Italiano wrote:

hello, me again. I am currently running 1.2.7 so do I need to upgrade first to 1.2.8 then to 1.2.9 or can I go straight to 1.2.9?

As far as I know you can upgrade straight to 1.2.9. It is the current download. All the other and past upgrades are in 1.2.9.

Re: PunBB 1.2.9

Jérémie wrote:

Arcane way of doing things. One really needs plugins.

Huh? Plugins won't do you any good if the source needs to be updated.

And by the way, don't worry. 1.3 will have proper plugin support.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.9

livatlantis wrote:

What's "diff"? I'll go on a search for these tools for Mac now... seems I'll need it for later.

They're probably built into mac, with Darwin. Ever used the terminal?

I don't HAVE a signature, ok?

24

Re: PunBB 1.2.9

Thanks, upgrade wasn't a problem at all.

livatlantis wrote:

This is amazing! I never thought updating would be so easy... Rickard, I must say, PunBB is awesome! So fast, customizable and... easy. I'm sure this is a easy update, but I'm proud: http://www.powerofmetal.net/forum/ wink

Thanks!

Nice skin (:

25

Re: PunBB 1.2.9

how i can open my Forum Shell for using fowlling Patch Commands?