Search options

: PunBB 1.2.15

Smartys wrote:

505 wrote:
I've got a question about the following change:
Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.
I have a PunBB integrated in a custom CMS and all the scripts use an object $db for database access. Almost the same as PunBB's one, but not exchangable. My $db is created in the include files, and this used to work because this was done in footer.php, after all PunBB's database queries were done. In the new version this happens in header.php, so the CMS's $db overwrites PunBB's CMS.
I've changes the include code back from header.php to footer.php (with the extension check), but what are the risks of having it there?
With an XSS vulnerability, a malicious user could execute any file in the include/user directory with those file endings as PHP. So if you also had an upload form somewhere where the directory could be manipulated, someone could potentially execute arbitrary PHP if they found an XSS vulnerability in PunBB.

I don't quite understand what the real danger is. If there was a wrong upload forum and someone could upload a PHP file to the /include/user directory, this would is still not included, unless also some template is modified. And if a hacker could do that, it would also be possible to directly modify some of PunBB's files. Or am I missing something?

: PunBB 1.2.15

I've got a question about the following change:

Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.

I have a PunBB integrated in a custom CMS and all the scripts use an object $db for database access. Almost the same as PunBB's one, but not exchangable. My $db is created in the include files, and this used to work because this was done in footer.php, after all PunBB's database queries were done. In the new version this happens in header.php, so the CMS's $db overwrites PunBB's CMS.
I've changes the include code back from header.php to footer.php (with the extension check), but what are the risks of having it there?

2006-05-26 19:40

##
##
##        Mod title:  Forbidden word spam blocker
##
##      Mod version:  1.0.0
##   Works on PunBB:  1.2.x
##     Release date:  2006-05-26
##           Author:  Daniel Vijge <vijge@dse.nl>
##
##      Description:  This mod allows forum administrators and moderators
##                    to forbid certain words to be in a post. When such a
##                    is used in a post a warning is displayed and the message
##                    cannot be posted until that word is removed.
##                    This can be used to stop spam bots from posting on
##                    your forum. Just set part of the message they post
##                    as a forbidden word.
##
##   Affected files:  post.php
##                    lang/English/post.php
##                    lang/[...]/post.php (when more languages are installed)
##
##       Affects DB:  Yes
##
##            Notes:  1) To add a spam word, go to the forum administration page
##                    and click on 'Spam word'. This page is available for
##                    both administrators and moderators
##                    2) Be carefull what words you block. For example, if you
##                    block 'foo', users can't post message containing 'foobar'.
##
##       DISCLAIMER:  Please note that "mods" are not officially supported by
##                    PunBB. Installation of this modification is done at your
##                    own risk. Backup your forum database and any and all
##                    applicable files before proceeding.
##
##

Download here

Simple protection against spam bots, by blocking certain words. I made it quite quickly because I needed something to stop spam bots. I haven't done a lot of testing, but it works safe on my install. Also, the documentation is not that good, but it should be enough for you to get it installed.
If you have any comments, please share them.

2005-12-03 17:21

This part:

header('GET /downloads/$file HTTP/1.0');
header('Connection: $connection');
header('User-Agent: $browser');
header('Accept: $accept');
header('Accept-Encoding: $accept_encoding');
header('Accept-Language: $accept_language');
header('Accept-Charset: $accept_charset');
header('Authorization: Basic $encoded');

THe script will send the text as such to the browsers, e.g. Authorization: Basic $encoded. In PHP, when using a single quote (' ) the text is not parsed for variables, when using a double quote (") it is. Using single quotes around text is faster if you know there are no variables in it. I should change your script to:

header('Authorization: Basic '.$encoded); // text in single quotes, variables outside the text
-- or --
header("Authorization: Basic $encoded"); // using doubles quotes, variables will be parsed

2005-09-10 09:12

After I upgraded my own forums to 1.2.7 I will look at my code and release a new version of the mod, so everyone can apply it straight away. Thanks for mentioning this.

2005-08-12 15:03

Yep, OS X is a *nix system, and probably will have patch. You can simple test it by typing 'patch -v' (display version number) in the command console.

When you make a patch (using a diff program), the new and old file are compared. Only the changes are saved to a patch file. So, a patch file will contain information about which lines of code to change. The program is clever enough to detect certain code changes. E.g., in the original patch file it say line 27 has to be changed from 'echo "test";' to 'echo "This is a test message";' However, since you have also modded the file yourself (added code above line 27) this line is now another line number. But patch will still be able to find the correct line and change it.
If you know a bit about programming and script, take a look at the patch file. Line with a - will be deleted, lines with a + will be added to your scripts.

Instructions to patch PunBB can be found here. The patch file from 1.2.5 to 1.2.6 is here. The patch for other version can be found the the download section.
I suggest you make a backup copy of your script, run patch on that and see what the result is.

2005-08-12 14:19

yelowpunk wrote:

is there a way to 'upgrade' my installation without having to redo everything? 'cuz it's a pain in the butt to have to reinstall everything for a .0.1 update.

Just download all the files from your webserver, and download the patch from the PunBB website. It will upgrade all your files to the new version. If you've made modification to files, these mods will be preserved. Unless there is a conflict between an update and something you've modded, in that case a warning will be shown and you have to update that yourself.

I have a havily modded version of PunBB and use this method for upgrading. It basically takes less than 15 minutes.

To use the patch file you need a working version of "patch" on your system. If you have *nix it's already there, if you have Windows look here. Take a look at the patch instruction on the PunBB page on how to patch.

2005-04-16 12:26

Thanks for pointing that out tuyau45! I release 1.0.1a were this problem is (hopefully) fixed. I could use some testing feedback. If you have installed this mod and have problems (or everything is working fine), please post here.

If you already downloaded and installed 1.0.1, open parser.php, goto line 347 (the last regex in the do_clickable function) and replace it with:

$text = preg_replace('#([\s\(\)])((mailto:)?([\w\d][\w\d$.-]*[\w\d]@[\w\d][\w\d.-]*[\w\d]\.[a-z0-9]{2,5}))((/[^"\s\(\)<\[]*)?)#ie', '\'$1\'.handle_email_tag(\'$2\')', $text);

2005-04-15 15:59

New version, 1.0.1.

Changes:
- Fix possible bad coding/decoding of addresses
- Option to decode e-mail adressen in text (not in tag)

2005-03-07 08:21

hcgtv wrote:

Very nicely done, nicely integrated.
You front end cms looks custom made.

Thanks, and yes, it's completely custom made. You need to have a hobby, right But making a good forum turned out to be too much work, so we decided on a pre-made forum. phpBB is way to heavy and complicated, punBB turned out to be just right.

2005-03-06 22:49

This site has pubBB integrated into the rest of the site. The user login system (or actually the check_cookie() function) is completely rewritten to work with the own login user system. It also has some minor modifications. Other things include some template and module wrapper scripts to work with the site's templates. The path system on top is custom made (it's part of the module/template part and parses before the forum loads). Also the forum block on the site, with recent posts, is custom made.
All to suite our needs. Luckily punBB is written quite simple, so I could adapt it quickly. Thanks for that...

www.intermate.nl/forum

2005-03-06 22:31

You can make your own date translate function. It's not that hard. In function.php on 595 change

    $date = date($pun_config['o_date_format'], $timestamp);
    $today = date($pun_config['o_date_format'], $now+$diff);
    $yesterday = date($pun_config['o_date_format'], $now+$diff-86400);

to

    $date = ldate($pun_config['o_date_format'], $timestamp);
    $today = ldate($pun_config['o_date_format'], $now+$diff);
    $yesterday = ldate($pun_config['o_date_format'], $now+$diff-86400);

Then, add a new function to functions.php. This is for Dutch, but you can easily translate it.

function ldate($format, $timestamp = '')
{
    // same as date() function, only change names to locals
    if ($timestamp == '') 
    {
        $timestamp = time();
    }

    $date = date($format,$timestamp);
    
    // change names of the days
    $date = str_replace('Monday','maandag',$date);
    $date = str_replace('Tuesday','dinsdag',$date);
    $date = str_replace('Wednesday','woensdag',$date);
    $date = str_replace('Thursday','donderdag',$date);
    $date = str_replace('Friday','vrijdag',$date);
    $date = str_replace('Saturday','zaterdag',$date);
    $date = str_replace('Sunday','zondag',$date);
    
    // change names of the months
    $date = str_replace('January','januari',$date);
    $date = str_replace('February','februari',$date);
    $date = str_replace('March','maart',$date);
    $date = str_replace('April','april',$date);
    $date = str_replace('May','mei',$date);
    $date = str_replace('June','juni',$date);
    $date = str_replace('July','juli',$date);
    $date = str_replace('August','augustus',$date);
    $date = str_replace('September','september',$date);
    $date = str_replace('October','oktober',$date);
    $date = str_replace('November','november',$date);
    $date = str_replace('December','december',$date);
    return $date;
}

2005-02-04 18:36

##
##
##      Mod title:  Spam Protect Emails
##
##      Mod version:  1.0.1a
##      Works on PunBB:  1.2.x
##      Release date:  2005-04-15
##      Author:  Daniel Vijge (vijge@dse.nl)
##
##      Description:  Spam protect email addresses in [email]tags. With this mod you can
##                    protect email address in posts against automatic harvesting.
##                    When the cursor hovers over an email address the user
##                    sees something like "javascript:mail_to('ocknvq<gocknBgzcorng0eqo')"
##                    in the status bar.
##                    When select, copy and paste and email address you will get
##                    email@remove-this.example.com
##                    Clicking on the link opens the mail program with the correct address.
##                    Addresses are normally readable to humans, but computers will have a hard
##                    time.
##                    To convert e-mails in text to clickable, spam-protected links preform
##                    steps 11 and 12. Else, skip these steps. (The default setup of punBB does
##                    not have the option to convert e-mail addresses, only www/ftp-links.)
##
##   Affected files:  header.php
##                    include/parser.php
##
##       Affects DB:  No
##
##            Notes:  You can change the encryption algoritm to create a better encryption
##                    (harder to automatically decode). In the function handle_email_tag()
##                    change the number in "$charValue+=intval(2);" to a number of your choice.
##                    Open 'uncrypt_email.js" and change "r += String.fromCharCode(n-(2));" to
##                    the same number.
##
##       DISCLAIMER:  Please note that "mods" are not officially supported by
##                    PunBB. Installation of this modification is done at your
##                    own risk. Backup your forum database and any and all
##                    applicable files before proceeding.
##
##

Download

Change log
1.0.1a: Fix in regex code (thanks tuyau45 for pointing this out)
1.0.1: Fix possible bad coding/decoding of addresses
Option to decode e-mail adressen in text (not in tag)

2004-12-17 23:09

Thanks, that solution is certainly sufficient

2004-12-17 18:48

If been experimenting with 1.2 to adopt it on my website once it goes final. I was making some modifications and I think I found a bug in in PunBB 1.2 beta. It's a bit strange and I really can't figure out what goes wrong. Here's who to replicate it.

Place a file called 'test.php' in the PunBB dir and add the following code:

<?php
class Class1
{
    function foobar()
    {
        return 1;
    }    
}

class Class2
{
    function foobar()
    {
        global $class1;
        return $class1->foobar();
    }
}
$class1 = new Class1();
$class2 = new Class2();
echo $class2->foobar();
?>

Now add "<pun_include "test.php">" to 'main.tpl' This should print a 1 at the place where you add it in the template. Most of the times is works, but if you call 'moderate.php' without any arguments, or with the get_host argument you get 'Fatal error: Call to a member function on a non-object in test.php on line 15'

Okay, you might wonder why I want to print a 1 that complicated, but in fact it is a simplification of a module/template system that I don't want to change. This is just the simplest example I could come up with to show the bug.

(I apologise if I should have sent this by mail...)

2004-12-12 20:11

It's all in the same database, just a different table. I have a table 'users' for the website and now 'forum_users' for PunBB. Somehow these two need to be connected, and make sure the user also logs in when login in on the website.

2004-12-12 19:53

I have a website that already has a login system (custom written). This is used for a lot features on the site. There is a forum, but it is not that great. For some time I've been looking for a good forum, but was never able to find one. PunBB looks good so far, the template support is good, I can integrate it into my site easy.

But here's the task. I don't want users to register for the board. As soon as they login on the website, they must be able to use the forum. So I want to be able to use my current user table. But at the same time I want the use the forum's feature such as groups and permissions, so I need PunBB's user table as well.

My current usertable is base as (unique id, non-unique username, unique e-mail), while PunBB's is (unique id, unique username, unique e-mail). Furthermore I saw PunBB stores the username in the cookie, not the userid (something I think is better...). Is this all the same in version 1.2?

How easy/hard would it be to integrate the two? Before I start hacking all the code I want some opinions. Have other people done this, and how easy it? I don't mind coding a lot, but I want to be able to upgrade without doing an awful lot.

Search options

Posts found: 17

1 Reply by 505 2007-04-14 10:32

Re: PunBB 1.2.15 (98 replies, posted in News)

2 Reply by 505 2007-04-13 07:54

Re: PunBB 1.2.15 (98 replies, posted in News)

3 Topic by 505 2006-05-26 19:40

Topic: Forbidden word spam blocker 1.0.0 (7 replies, posted in PunBB 1.2 modifications, plugins and integrations)

4 Reply by 505 2005-12-03 17:21

Re: an extremely useful script (10 replies, posted in Programming)

5 Reply by 505 2005-09-10 09:12

Re: Spam Protect Email 1.0.1a (13 replies, posted in PunBB 1.2 modifications, plugins and integrations)

6 Reply by 505 2005-08-12 15:03

Re: PunBB 1.2.6 (71 replies, posted in News)

7 Reply by 505 2005-08-12 14:19

Re: PunBB 1.2.6 (71 replies, posted in News)

8 Reply by 505 2005-04-16 12:26

Re: Spam Protect Email 1.0.1a (13 replies, posted in PunBB 1.2 modifications, plugins and integrations)

9 Reply by 505 2005-04-15 15:59

Re: Spam Protect Email 1.0.1a (13 replies, posted in PunBB 1.2 modifications, plugins and integrations)

10 Reply by 505 2005-03-07 08:21

Re: Intermate.nl (2 replies, posted in PunBB 1.2 show off)

11 Topic by 505 2005-03-06 22:49

Topic: Intermate.nl (2 replies, posted in PunBB 1.2 show off)

12 Reply by 505 2005-03-06 22:31

Re: date vs strftime (8 replies, posted in PunBB 1.2 discussion)

13 Topic by 505 2005-02-04 18:36

Topic: Spam Protect Email 1.0.1a (13 replies, posted in PunBB 1.2 modifications, plugins and integrations)

14 Reply by 505 2004-12-17 23:09

Re: PunBB 1.2 development source (277 replies, posted in PunBB 1.2 discussion)

15 Reply by 505 2004-12-17 18:48

Re: PunBB 1.2 development source (277 replies, posted in PunBB 1.2 discussion)

16 Reply by 505 2004-12-12 20:11

Re: Integrating punbb with my own site (3 replies, posted in PunBB 1.2 modifications, plugins and integrations)

17 Topic by 505 2004-12-12 19:53

Topic: Integrating punbb with my own site (3 replies, posted in PunBB 1.2 modifications, plugins and integrations)

Posts found: 17