Topic: PunBB 1.2.13
Yesterday, I posted about the supposed "poison NULL byte vulnerability". I ranted on about how PunBB wasn't vulnerable and how I disliked the way vulnerability databases worked. Guess what? I was wrong! Through the help of a very nice editor at CVE, I was able to get in touch with the researcher behind the report and he clarified the issue for me. I had completely misunderstood what the vulnerability was about. Turns out I was wrong both on the vulnerability and in my generalization of how bad vulnerability databases work. I'm sorry for that.
So, today I have the pleasure of announcing PunBB 1.2.13. A release I've internally dubbed the "I'm a moron" release. PunBB 1.2.13 deals with the NULL byte injection vulnerability and adds support for HttpOnly cookies. The NULL byte injection is only exploitable by administrators so there's no need to rush. Nevertheless, I recommend that everyone upgrade.
Small note: If you have a look at the patch and the hdiff for this release, you'll notice there are what appears as non-existent changes in the unregister_globals() function. Nevermind these. It's just an update to get rid of some Windows style linebreaks.
Over and out.