Topic: PunBB 1.2.11

Here's a short message announcing 1.2.11. This release has been made primarily to address an issue with the registration script that allowed a malicious user to perform a denial-of-service attack. PunBB 1.2.11 adds code to the registration script that prevents these flood registrations (an hour has to pass between registrations from the same IP). On top of this, an XSS vulnerability has been addressed.

For those of you not afraid to edit the scripts manually, here are the two changes:

http://dev.punbb.org/changeset/336
http://dev.punbb.org/changeset/335

Thanks to the people who alerted me via e-mail about the circulation of an "exploit" for the DoS attack.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.11

smile Maybe in a future version (1.3 hopefully) add the ability to set the timeout time in the admin options?

Re: PunBB 1.2.11

Thanks. Update was a breeze as usual, and the flood fix works fine on my forum.

Looking for a certain modification for your forum? Please take a look here before posting.

4

Re: PunBB 1.2.11

Wow! It's not really smile

If you want a Job done right, you do it yourself!

5 (edited by andrewteg 2006-02-28 21:30)

Re: PunBB 1.2.11

wow, installed in the morning and already an update in the afternoon smile  glad to see it's being very supported and upgrade was a breeze!

Thanks,
Andrew

6

Re: PunBB 1.2.11

Thanks Rickard, updated my forum, I had registrations off after reading the forum this morning.

May need to change: If I were you, I'd update to PunBB 1.2.10!

Re: PunBB 1.2.11

Thanks, it's about time. smile This will help a lot with the auto registrations that have been going on.

I don't HAVE a signature, ok?

8 (edited by zaher 2006-02-28 22:21)

Re: PunBB 1.2.11

One hour is too long, all my user come in my country are behind one proxy, that make a problem so 1 minute is good i will change it by my hand 3600 -> 60, but i prefer put it in Config.php as variable

EDIT:
In fact there 3 ISP in my country but the 2 of them are new to the market.

If your people come crazy, you will not need to your mind any more.

9 (edited by Jansson 2006-02-28 22:36)

Re: PunBB 1.2.11

The bug:

     // START SUBST - <pun_page>  
$tpl_main = str_replace('<pun_page>', basename($_SERVER['PHP_SELF'], '.php'), $tpl_main);  
$tpl_main = str_replace('<pun_page>', htmlspecialchars(basename($_SERVER['PHP_SELF'], '.php')), $tpl_main);  
// END SUBST - <pun_title>

Should be "// END SUBST - <pun_page>" .... right?

Re: PunBB 1.2.11

zaher: Are you saying ALL users from syria use the same IP?

Jansson: Yes, but I didn't want to fiddle with that now. It would just confuse people.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

11 (edited by Reines 2006-02-28 22:50)

Re: PunBB 1.2.11

Upgraded thanks. (Even though I have image verification installed anyway, which also blocks out any chance of a DoS attack on the registrations).

12

Re: PunBB 1.2.11

Not all, but Most of them. may there is about 10 server take IPs shared for all. it always make problem.
My ip in your forum is one of it,maybe changed every connection to Dialup and some time every visit to page (believe me) depend on traffic on servers you can notice that by this posts, not just Syria but all countries working to control everything.

If your people come crazy, you will not need to your mind any more.

13

Re: PunBB 1.2.11

Fix'd tnx!

it's just me...

Re: PunBB 1.2.11

Updated the UK PunBB mirror to reflect this. smile

Proud hoster of PunBB's UK download mirror!

Re: PunBB 1.2.11

Nice!! It works!! lol thanks for keeping us safe!

My PunRes Wiki Mods:
1.) Remove Post Icon in View Topic And in Index
2.) Bold Links In Header
[img]http://www.the-artbreak.com/forum/img/smilies/socom.png[/img]

Re: PunBB 1.2.11

As much as I hate updating, it's always good to be secure. Thanks, Rickard.

Re: PunBB 1.2.11

You should consider extracting the message to the user into the language files in 1.3. smile

18 (edited by Frank H 2006-03-01 16:40)

Re: PunBB 1.2.11

updated smile
(within 24 hours as usual ... although I almost missed it as I was so used with the notice for 1.2.10 tongue)

Re: PunBB 1.2.11

zaher wrote:

One hour is too long, all my user come in my country are behind one proxy, that make a problem so 1 minute is good i will change it by my hand 3600 -> 60, but i prefer put it in Config.php as variable

I used 900 (=15') here smile

[no signature]

Re: PunBB 1.2.11

For French :

   

// Check that someone from this IP didn't register a user within the last hour (DoS prevention)
     $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
      if ($db->num_rows($result))
     message('Un nouvel utilisateur a été enregistré avec la même adresse IP que vous dans la dernière heure. Pour empêcher l\'inondation d\'enregistrement, au moins 1 heure doit passer entre des enregistrements du même IP. Désolé de l\'inconvénient.');

21

Re: PunBB 1.2.11

If someone make a bad entry at registration (for e.g. too short password), he has to wait one hour to reenter the right data? He only sees an unclickable button nad has no idea that's for preventing of denial-of-service-attack...

Re: PunBB 1.2.11

f10 no, only actual registrations count, the submit button always greys out when you click it to stop double clicks by accident, just press back when you see the password is too short.

23

Re: PunBB 1.2.11

// Check that someone from this IP didn't register a user within the last hour (DoS prevention)   
         $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());   
   
         if ($db->num_rows($result))   
                 message('A new user was registered with the same IP address as you within the last hour. To prevent registration flooding, at least an hour has to pass between registrations from the same IP. Sorry for the inconvenience.');

for bosnian/croatian/serbian modifications

   
// Check that someone from this IP didn't register a user within the last hour (DoS prevention)   
         $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());   
   
         if ($db->num_rows($result))   
                 message('Novi korisnik je prije otprilike sat vremena ve? registrovan sa istom IP adresom. Radi za?tite od flood-a s istom IP adresom mo?ete se registrovati tek poslije sat vremena. Ukoliko imate dodatnih pitanja, kontaktirajte administratora!');
it's just me...

Re: PunBB 1.2.11

The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.

Re: PunBB 1.2.11

Connorhd wrote:

The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.

Registering legitimately wink
And it does matter if they don't speak English tongue