By BBC, i think he means British Broadcat Company's website.


(48 replies, posted in PunBB 1.3 extensions)

You are absolutely right and I think that it's better if only super admins can edit fields where you can put html. Anyway, I fixed this problem on my forums, every fields are filtered, in the admin panel too.

Sorry for my poor english tongue


(48 replies, posted in PunBB 1.3 extensions)

Garciat wrote:

Now, why would an ADMIN exploit this vulnerability? After all, this extension's configuration can only be edited by admins.

Also, there's a message saying:

Please, don't use any HTML, BBCode or harmful characters.

on the configuration page, so I'm not really worried about this.

Thanks anyways, I appreciate your concern.

I know that only admins can acces to you extension but it can be dangerous anyway. Example:

You have another admin on the forum, and he wants you password, by exploiting this vuln, he could install a javascript keylogger on you forum, and he may get your password
It isn't enough to put a message saying "Please don't..."

Hope you'll understand.

Yes it is.

Yes it doesn't neutral


(48 replies, posted in PunBB 1.3 extensions)


<meta name="keywords" content=""><script>alert(0)</script>" />
<meta name="robots" content=""><script>alert(0)</script>" />

Patch :

File : ./extensions/meta_tags_admin/manifest.xml

Line 63      | $forum_head['descriptions'] = '<meta name="description" content="'.$forum_config['o_meta_tags_admin_desc'].'" />';
Replace with | $forum_head['descriptions'] = '<meta name="description" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_desc']).'" />';

Line 88      | $forum_head['descriptions'] = '<meta name="description" content="'.$first_post.'" />';
Replace with | $forum_head['descriptions'] = '<meta name="description" content="'.forum_htmlencode($first_post).'" />';

Line 95      | $forum_head['keywords'] = '<meta name="keywords" content="'.$forum_config['o_meta_tags_admin_keyw'].'" />';
Replace with | $forum_head['keywords'] = '<meta name="keywords" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_keyw']).'" />';

Line 98      | $forum_head['robots'] = '<meta name="robots" content="'.$forum_config['o_meta_tags_admin_robo'].'" />';
Replace with | $forum_head['robots'] = '<meta name="robots" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_robo']).'" />';


(4 replies, posted in PunBB 1.2 bug reports)

It isnt an error. They added a php code that adds a class name into the <li>

Ex : 

<li class="isactive"><a href="profile.php?section=essentials&amp;id=<?php echo $id ?>"><?php echo $lang_profile['Section essentials'] ?></a></li>


Email sent