• From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Topic: PunBB 1.2.11

Here's a short message announcing 1.2.11. This release has been made primarily to address an issue with the registration script that allowed a malicious user to perform a denial-of-service attack. PunBB 1.2.11 adds code to the registration script that prevents these flood registrations (an hour has to pass between registrations from the same IP). On top of this, an XSS vulnerability has been addressed.

For those of you not afraid to edit the scripts manually, here are the two changes:

http://dev.punbb.org/changeset/336
http://dev.punbb.org/changeset/335

Thanks to the people who alerted me via e-mail about the circulation of an "exploit" for the DoS attack.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: PunBB 1.2.11

smile Maybe in a future version (1.3 hopefully) add the ability to set the timeout time in the admin options?

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: PunBB 1.2.11

Thanks. Update was a breeze as usual, and the flood fix works fine on my forum.

Looking for a certain modification for your forum? Please take a look here before posting.

4 Reply by Xan

  • Xan
  • Member
  • Offline
  • Registered: 2005-01-08
  • Posts: 74

Re: PunBB 1.2.11

Wow! It's not really smile

If you want a Job done right, you do it yourself!

Xan's Website

5 Reply by andrewteg (edited by andrewteg 2006-02-28 21:30)

  • From: Virginia Tech
  • Registered: 2006-02-28
  • Posts: 50

Re: PunBB 1.2.11

wow, installed in the morning and already an update in the afternoon smile  glad to see it's being very supported and upgrade was a breeze!

Thanks,
Andrew

Isaiah 40:31

andrewteg's Website

6 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PunBB 1.2.11

Thanks Rickard, updated my forum, I had registrations off after reading the forum this morning.

May need to change: If I were you, I'd update to PunBB 1.2.10!

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • From: Canada
  • Registered: 2004-12-12
  • Posts: 148

Re: PunBB 1.2.11

Thanks, it's about time. smile This will help a lot with the auto registrations that have been going on.

I don't HAVE a signature, ok?

creaturecorp's Website

8 Reply by zaher (edited by zaher 2006-02-28 22:21)

  • zaher
  • Senior Member
  • Offline
  • From: Syria, Damascus
  • Registered: 2004-02-16
  • Posts: 773

Re: PunBB 1.2.11

One hour is too long, all my user come in my country are behind one proxy, that make a problem so 1 minute is good i will change it by my hand 3600 -> 60, but i prefer put it in Config.php as variable

EDIT:
In fact there 3 ISP in my country but the 2 of them are new to the market.

If your people come crazy, you will not need to your mind any more.

9 Reply by Jansson (edited by Jansson 2006-02-28 22:36)

  • Jansson
  • Former PunBB Developer
  • Offline
  • From: Sweden
  • Registered: 2003-01-06
  • Posts: 856

Re: PunBB 1.2.11

The bug:

     // START SUBST - <pun_page>  
$tpl_main = str_replace('<pun_page>', basename($_SERVER['PHP_SELF'], '.php'), $tpl_main);  
$tpl_main = str_replace('<pun_page>', htmlspecialchars(basename($_SERVER['PHP_SELF'], '.php')), $tpl_main);  
// END SUBST - <pun_title>

Should be "// END SUBST - <pun_page>" .... right?

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.11

zaher: Are you saying ALL users from syria use the same IP?

Jansson: Yes, but I didn't want to fiddle with that now. It would just confuse people.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

11 Reply by Reines (edited by Reines 2006-02-28 22:50)

  • Reines
  • Reines
  • Senior Member
  • Offline
  • Registered: 2004-10-07
  • Posts: 304

Re: PunBB 1.2.11

Upgraded thanks. (Even though I have image verification installed anyway, which also blocks out any chance of a DoS attack on the registrations).

Reines's Website

12 Reply by zaher

  • zaher
  • Senior Member
  • Offline
  • From: Syria, Damascus
  • Registered: 2004-02-16
  • Posts: 773

Re: PunBB 1.2.11

Not all, but Most of them. may there is about 10 server take IPs shared for all. it always make problem.
My ip in your forum is one of it,maybe changed every connection to Dialup and some time every visit to page (believe me) depend on traffic on servers you can notice that by this posts, not just Syria but all countries working to control everything.

If your people come crazy, you will not need to your mind any more.

13 Reply by faax

  • faax
  • Senior Member
  • Offline
  • From: Bosnia and Herzegovina
  • Registered: 2005-05-23
  • Posts: 133

Re: PunBB 1.2.11

Fix'd tnx!

it's just me...

faax's Website

  • Registered: 2005-12-13
  • Posts: 16

Re: PunBB 1.2.11

Updated the UK PunBB mirror to reflect this. smile

Proud hoster of PunBB's UK download mirror!
  • Registered: 2006-01-16
  • Posts: 86

Re: PunBB 1.2.11

Nice!! It works!! lol thanks for keeping us safe!

My PunRes Wiki Mods:
1.) Remove Post Icon in View Topic And in Index
2.) Bold Links In Header
[img]http://www.the-artbreak.com/forum/img/smilies/socom.png[/img]
  • Registered: 2004-10-10
  • Posts: 77

Re: PunBB 1.2.11

As much as I hate updating, it's always good to be secure. Thanks, Rickard.

  • From: Germany
  • Registered: 2005-03-09
  • Posts: 17

Re: PunBB 1.2.11

You should consider extracting the message to the user into the language files in 1.3. smile

18 Reply by Frank H (edited by Frank H 2006-03-01 16:40)

  • Frank H
  • Former PunBB Developer
  • Offline
  • Registered: 2003-03-16
  • Posts: 1,423

Re: PunBB 1.2.11

updated smile
(within 24 hours as usual ... although I almost missed it as I was so used with the notice for 1.2.10 tongue)

  • From: VnOSS
  • Registered: 2004-09-04
  • Posts: 121

Re: PunBB 1.2.11

zaher wrote:

One hour is too long, all my user come in my country are behind one proxy, that make a problem so 1 minute is good i will change it by my hand 3600 -> 60, but i prefer put it in Config.php as variable

I used 900 (=15') here smile

[no signature]
  • Registered: 2005-02-19
  • Posts: 54

Re: PunBB 1.2.11

For French :

    

// Check that someone from this IP didn't register a user within the last hour (DoS prevention)
     $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
      if ($db->num_rows($result))
     message('Un nouvel utilisateur a été enregistré avec la même adresse IP que vous dans la dernière heure. Pour empêcher l\'inondation d\'enregistrement, au moins 1 heure doit passer entre des enregistrements du même IP. Désolé de l\'inconvénient.');

21 Reply by f10

  • f10
  • Junior Member
  • Offline
  • Registered: 2005-01-30
  • Posts: 8

Re: PunBB 1.2.11

If someone make a bad entry at registration (for e.g. too short password), he has to wait one hour to reenter the right data? He only sees an unclickable button nad has no idea that's for preventing of denial-of-service-attack...

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: PunBB 1.2.11

f10 no, only actual registrations count, the submit button always greys out when you click it to stop double clicks by accident, just press back when you see the password is too short.

FluxBB.
Connorhd.co.uk.

Connorhd's Website

23 Reply by faax

  • faax
  • Senior Member
  • Offline
  • From: Bosnia and Herzegovina
  • Registered: 2005-05-23
  • Posts: 133

Re: PunBB 1.2.11

// Check that someone from this IP didn't register a user within the last hour (DoS prevention)   
         $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());   
   
         if ($db->num_rows($result))   
                 message('A new user was registered with the same IP address as you within the last hour. To prevent registration flooding, at least an hour has to pass between registrations from the same IP. Sorry for the inconvenience.');

for bosnian/croatian/serbian modifications

   
// Check that someone from this IP didn't register a user within the last hour (DoS prevention)   
         $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());   
   
         if ($db->num_rows($result))   
                 message('Novi korisnik je prije otprilike sat vremena ve? registrovan sa istom IP adresom. Radi za?tite od flood-a s istom IP adresom mo?ete se registrovati tek poslije sat vremena. Ukoliko imate dodatnih pitanja, kontaktirajte administratora!');
it's just me...

faax's Website

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: PunBB 1.2.11

The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.

FluxBB.
Connorhd.co.uk.

Connorhd's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.11

Connorhd wrote:

The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.

Registering legitimately wink
And it does matter if they don't speak English tongue