Topic: PunBB 1.2.17

Keeping true to our promise of providing security updates for the 1.2 branch even though our focus right now surely is on 1.3, it is my pleasure to announce the release of PunBB 1.2.17. This update addresses two rather serious security vulnerabilities as well as a couple of other minor fixes and annoyances. PunBB 1.2.17 is a recommended update for all 1.2 installs.

Important! One of the vulnerabilities that were dealt with in 1.2.17 have to do with something called the cookie seed. The changes in 1.2.17 should protect you from the vulnerability, but we still recommend that you make one minor change to your installation to further harden your forum from attacks. To make the change, open up config.php and look for something along the lines of:

$cookie_seed = '5b16024c';

The seemingly random characters within single quotes will differ in your install. Now, either replace the random characters entirely or add a few extra characters to the end and/or the beginning of the string. You can use any characters you like. Avoid the single quote character though. When you're done, save and upload the file to your forum installation. The change will require users to re-login, but apart from that, everything should be the same.

Thanks to all the people who reported bugs and security problems.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.17

Very nice... On the ball as usual. smile

Re: PunBB 1.2.17

Done!... fast, easy, simple... PunBB way!

emxgarcia

4

Re: PunBB 1.2.17

Just a quickie. smile The patch file seems a bit inconsistent with regards to moderate.php. The preg_match change is fine, but the other two seem out of whack. Have I missed an update out previously, or is the diff slightly incorrect?

5

Re: PunBB 1.2.17

Since I had done so much mod on punbb,
So I'm afraid of each time of update,now it comes again.

6

Re: PunBB 1.2.17

Good point, qie. If changes were made just in a few files, it would be easier to replace only those.

Re: PunBB 1.2.17

I seem to have a problem with admin_maintenance. The file when I run it appears to be in a loop.

Re: PunBB 1.2.17

p4i wrote:

Good point, qie. If changes were made just in a few files, it would be easier to replace only those.

That's why there's a changed files download wink

bingiman wrote:

I seem to have a problem with admin_maintenance. The file when I run it appears to be in a loop.

I'll check the code again, but it was working fine last I tested. What URL is it looping on?
Edit: I just tried it and it worked just fine. You do realize it's supposed to load lots of pages, right?

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

Re: PunBB 1.2.17

My test site has just 2 posts. Anyway, it just keeps loading the page as if it were in a loop when I click on "Rebuild Index"

Re: PunBB 1.2.17

I just tried it on PunBB-Hosting and can't replicate it. If someone else manages to replicate it on a clean install, I'll take another look.

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

Re: PunBB 1.2.17

Well, I am using it on Mega Pun but I replaced the file so it should work. This is what the url says and it flashes really fast from 4 to 1

12 (edited by tomekf 2008-02-20 22:17)

Re: PunBB 1.2.17

I found that there isn't any changes in file moderate.php in Hdiff update.

Edit: Only

if (@preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host']))
Darmowe forum - Polish free forum hosting

Re: PunBB 1.2.17

bingiman: I sent you an email

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

Re: PunBB 1.2.17

Well, that fixed the problem. thanks!

15

Re: PunBB 1.2.17

tomekf wrote:

I found that there isn't any changes in file moderate.php in Hdiff update.

Edit: Only

if (@preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host']))

I noticed that too. The first db query is the same as the one it replaces, and the second one just doesn't exist in mine, hence why I asked earlier if I had missed a previous update. Or is the patch file misleading?

Re: PunBB 1.2.17

I'm not sure why those lines were generated (maybe line feeds changed at some point?)

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

Re: PunBB 1.2.17

I believe they were crlf -> lf changes. As soon as I saved the file in Textmate, subversion was convinced those lines had changed.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.17

does it fix?:
http://www.milw0rm.com/exploits/5165
http://sektioneins.de/advisories/SE-2008-01.txt

19

Re: PunBB 1.2.17

As they are essentially one and the same vuln, then as the SektionEins vulnerability report itself notes:

Vendor Status: Vendor has released PunBB 1.2.17 which fixes this issue

Re: PunBB 1.2.17

I have installed the changed files, yet my version number still says "1.2.16". Have I missed a file?
Beagle

Re: PunBB 1.2.17

You need to run the database update script to change the version number wink

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

Re: PunBB 1.2.17

Thank you. Perhaps you should have pointed out that I was missing the reading part. I got ahead of myself, which is usually the root cause of my self inflicted distress.
thanks again
Beagle

23

Re: PunBB 1.2.17

Ahoy there HMS Beagle.

How goes your voyage of discovery? Been to the Galapagos Islands again recently?

Re: PunBB 1.2.17

sirena wrote:

Ahoy there HMS Beagle.

How goes your voyage of discovery? Been to the Galapagos Islands again recently?

Ahoy matey
My voyage of discovery goes well, Thank you.
Beagle

25

Re: PunBB 1.2.17

Thank you for new release of punbb!