Topic: PunBB 1.2.6
I'm pleased to announce the release of PunBB 1.2.6. This time around, a large number of minor bugs have been fixed. In addition, one or two rather serious vulnerabilities and a number of not-so-serious security concerns have been dealt with. As usual, it is recommended that everyone update to 1.2.6 as soon as possible. Download archives, patches and other things related to the release can be found on the downloads page.
One change in 1.2.6 worth mentioning is changeset 208. What this does is to force files included from templates via the pun_include directive to be in a particular directory. The directory is include/user/. If you've been using pun_include in 1.2.5 or earlier, you will need to make sure that the directory exists and to move all/any included scripts into that directory. If your files are located outside the PunBB directory tree, I recommend that you create symbolic links in the include/user/ directory. The change has been implemented to deal with a potential vulnerability.
In what has become somewhat of a custom for me, I would like to thank Stefan Esser of the Hardened-PHP Project and Smartys, forum regular and bug finder extraordinaire, for reporting both vulnerabilities and general bugs. I owe you guys a couple of rounds of beer :)