• From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Topic: PunBB 1.2.9

Just a quick note this time. This release is a very small update that fixes an SQL injection vulnerability in search.php that is exploitable in PHP environments with register_globals enabled. Beginning with 1.2.9, PunBB also implements a method for reversing the effects of register_globals (thanks Stefan Esser!). What this means is that register_globals should no longer be a problem. If a variable is instantiated as a result of register_globals being enabled, it will be unset by PunBB. Yay! Something to note about this new mechanism is that if you have integrated your PunBB install with other code, for example by including PHP code in your templates, that code must be able to function properly with register_globals disabled. If it does not, you will have to temporarily disable the call to unregister_globals() in include/common.php until you can update your code.

Thanks a lot to "Devil_box of KAPDA" for posting an advisory on the SQL injection without even notifying me of it. Much appreciated! sad Proper thanks go out to Paolo Gabrielli for telling me about the advisory. Someone else posted a topic in the forums about the advisory, but I deleted it. Please e-mail security related information to security @ this domain.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2005-10-14
  • Posts: 54

Re: PunBB 1.2.9

Ok, I'll do that from now on, I just thought that you guys should know tongue

Good to know it helped (and you noticed it much faster through me posting in on the forum than if you were scouring the security boards). Now you have to change the Announcement once again - and realise that there's nothing left after 1.2.9 except 1.3 wink

IdleFire's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.9

IdleFire wrote:

there's nothing left after 1.2.9 except 1.3 wink

What about 1.2.10 then? smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

4 Reply by Rod

  • Rod
  • Senior Member
  • Offline
  • From: Rouen, France
  • Registered: 2004-07-19
  • Posts: 591

Re: PunBB 1.2.9

You Copy PhpBB smile

http://www.sortons.net
http://www.fantasya.net

Rod's Website

5 Reply by seva

  • seva
  • Member
  • Offline
  • From: Russia::Novosibirsk
  • Registered: 2005-10-13
  • Posts: 92

Re: PunBB 1.2.9

Hmmm.... what about 1.2.9.1 ?)))

Hm... every pixel has it's own destiny

seva's Website

  • From: Gothenburg, Sweden
  • Registered: 2002-05-27
  • Posts: 222

Re: PunBB 1.2.9

How about changing the Announcement box to reflect the new version of PunBB?

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.9

CodeDuck wrote:

How about changing the Announcement box to reflect the new version of PunBB?

I was just about to dammit smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Kathmandu, Nepal
  • Registered: 2005-10-10
  • Posts: 44

Re: PunBB 1.2.9

lol My first update! Hope it works out well (newbie, you see).

Parimal Satyal - Powermetal from Nepal

livatlantis's Website

  • From: Paris - France
  • Registered: 2005-06-20
  • Posts: 40

Re: PunBB 1.2.9

Thank you for this fast update , Rickard.
Patching is my will , just do it smile

PunBB based : All Sansa - Tout Sansa  - Forum Abc de la sécurtité informatique
not PunBB based : actualité sécurité informatique - bistouri, technicien informaticien

habana's Website

  • From: Kathmandu, Nepal
  • Registered: 2005-10-10
  • Posts: 44

Re: PunBB 1.2.9

This is amazing! I never thought updating would be so easy... Rickard, I must say, PunBB is awesome! So fast, customizable and... easy. I'm sure this is a easy update, but I'm proud: http://www.powerofmetal.net/forum/ wink

Thanks!

Parimal Satyal - Powermetal from Nepal

livatlantis's Website

  • From: zCOM
  • Registered: 2005-01-16
  • Posts: 433

Re: PunBB 1.2.9

Upgraded using the DIFF.
Flawless! Whee!

[img]http://www.dreamhost.com/images/rewards/80x15-a.gif[/img]
[img]http://img303.imageshack.us/img303/6118/getfox6mr.gif[/img]

erissiva's Website

  • Registered: 2005-01-23
  • Posts: 205

Re: PunBB 1.2.9

I got a problem with the 1.2.9 with my own plugin ...
To still use my plug-in, i have to comment in common.php : 

// Reverse the effect of register_globals
if (@ini_get('register_globals'))
    unregister_globals();

If someone can explain me why ...

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.9

fpouget: We'd have to see the code to see what's wrong with it. Maybe you should start out by reading a bit about register_globals.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

14 Reply by creaturecorp (edited by creaturecorp 2005-10-16 20:05)

  • From: Canada
  • Registered: 2004-12-12
  • Posts: 148

Re: PunBB 1.2.9

What if we've modded our punbb to death so it's hardly recognizable as punbb? It would be wiser to update manually, correct?

I don't HAVE a signature, ok?

creaturecorp's Website

15 Reply by Joe7

  • Joe7
  • Senior Member
  • Offline
  • Registered: 2005-05-01
  • Posts: 103

Re: PunBB 1.2.9

I just upgraded to 1.2.9 myself. So far so good. smile

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.9

creaturecorp wrote:

What if we've modded our punbb to death so it's hardly recognizable as punbb? It would be wiser to update manually, correct?

Yes, use the hdiff or patch it using the diff.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

17 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PunBB 1.2.9

I use Beyond Compare: http://www.scootersoftware.com/

It's been an invaluable tool for making changes to my online sites and comparing CVS changes, etc.

If you make mods, this will let you compare your sources side by side and let you move over your changed lines to the new sources.

Download a trial and check it out, worth the money.

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • From: France
  • Registered: 2004-11-06
  • Posts: 695

Re: PunBB 1.2.9

Arcane way of doing things. One really needs plugins.

Jeu de rôle en ligne sur table virtuelleShadowrun FranceChez Blacky

Jérémie's Website

  • From: Mexico
  • Registered: 2005-09-06
  • Posts: 3

Re: PunBB 1.2.9

hello, me again. I am currently running 1.2.7 so do I need to upgrade first to 1.2.8 then to 1.2.9 or can I go straight to 1.2.9?

  • From: Kathmandu, Nepal
  • Registered: 2005-10-10
  • Posts: 44

Re: PunBB 1.2.9

What's "diff"? I'll go on a search for these tools for Mac now... seems I'll need it for later.

Parimal Satyal - Powermetal from Nepal

livatlantis's Website

21 Reply by Joe7

  • Joe7
  • Senior Member
  • Offline
  • Registered: 2005-05-01
  • Posts: 103

Re: PunBB 1.2.9

Italiano wrote:

hello, me again. I am currently running 1.2.7 so do I need to upgrade first to 1.2.8 then to 1.2.9 or can I go straight to 1.2.9?

As far as I know you can upgrade straight to 1.2.9. It is the current download. All the other and past upgrades are in 1.2.9.

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.9

Jérémie wrote:

Arcane way of doing things. One really needs plugins.

Huh? Plugins won't do you any good if the source needs to be updated.

And by the way, don't worry. 1.3 will have proper plugin support.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Canada
  • Registered: 2004-12-12
  • Posts: 148

Re: PunBB 1.2.9

livatlantis wrote:

What's "diff"? I'll go on a search for these tools for Mac now... seems I'll need it for later.

They're probably built into mac, with Darwin. Ever used the terminal?

I don't HAVE a signature, ok?

creaturecorp's Website

24 Reply by Reines

  • Reines
  • Reines
  • Senior Member
  • Offline
  • Registered: 2004-10-07
  • Posts: 304

Re: PunBB 1.2.9

Thanks, upgrade wasn't a problem at all.

livatlantis wrote:

This is amazing! I never thought updating would be so easy... Rickard, I must say, PunBB is awesome! So fast, customizable and... easy. I'm sure this is a easy update, but I'm proud: http://www.powerofmetal.net/forum/ wink

Thanks!

Nice skin (:

Reines's Website

25 Reply by b4Lz0R

  • Registered: 2005-10-17
  • Posts: 20

Re: PunBB 1.2.9

how i can open my Forum Shell for using fowlling Patch Commands?