Topic: PunBB 1.2.13

Yesterday, I posted about the supposed "poison NULL byte vulnerability". I ranted on about how PunBB wasn't vulnerable and how I disliked the way vulnerability databases worked. Guess what? I was wrong! Through the help of a very nice editor at CVE, I was able to get in touch with the researcher behind the report and he clarified the issue for me. I had completely misunderstood what the vulnerability was about. Turns out I was wrong both on the vulnerability and in my generalization of how bad vulnerability databases work. I'm sorry for that.

So, today I have the pleasure of announcing PunBB 1.2.13. A release I've internally dubbed the "I'm a moron" release. PunBB 1.2.13 deals with the NULL byte injection vulnerability and adds support for HttpOnly cookies. The NULL byte injection is only exploitable by administrators so there's no need to rush. Nevertheless, I recommend that everyone upgrade.

Small note: If you have a look at the patch and the hdiff for this release, you'll notice there are what appears as non-existent changes in the unregister_globals() function. Nevermind these. It's just an update to get rid of some Windows style linebreaks.

Over and out.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.13

Thank you for the update.  I had noticed it on the download page, but didn't see it announced yet.

Re: PunBB 1.2.13

One note about the NULL byte injection: it requires Administrator level access to be taken advantage of.

And I'd like to apologize as well. While this whole incident was taking place (and while we still thought the vulnerability was a fake), I was emailing the various advisory sites claiming that the vulnerability was a fake. They were all very nice and responded in a timely fashion and I feel bad for taking up their time when it turned out I was wrong tongue

4

Re: PunBB 1.2.13

Will you be sending out announcements?

Re: PunBB 1.2.13

Woo-hoo! Great!

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

Re: PunBB 1.2.13

Good to see smile

7

Re: PunBB 1.2.13

Hi,

What about the newsletter? I haven't received any notification for that release.

Ludo,

Re: PunBB 1.2.13

Ludo wrote:

Hi,

What about the newsletter? I haven't received any notification for that release.

Ludo,

I'll try to get that out tonight. I can't send it from home anymore, so I'll have to write up some script to do it on the server.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

9 (edited by Bibby 2006-09-27 14:18)

Re: PunBB 1.2.13

I installed punbb-1.2.12 yesterday, but i found 1.2.13 was released this morning sad ( or smile ?)

A new forum powered by punbb-1.2.13(Chinese):
http://www.bsdlife.org/bbs

Thanks to punbb team smile

10 (edited by savasweb 2006-09-27 14:27)

Re: PunBB 1.2.13

1.2.12  to 1.2.13  code changes ? thank you punbb team smile

11 (edited by guardian34 2006-09-27 15:55)

Re: PunBB 1.2.13

savasweb wrote:

1.2.12  to 1.2.13  code changes ?

Rickard linked to them in the first post.

Edit: The changes are also linked in the downloads page.

Re: PunBB 1.2.13

When whill punbb 1.2.13 kom on Norwegian???

PunBB, the FluxBB of tomorrow - today!

Re: PunBB 1.2.13

grudon66: It is available in Norwegian. Just use the language pack from the download page.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.13

Ok,Thanx,Wow PunBB 1.2.13 is great big_smile

PunBB, the FluxBB of tomorrow - today!

Re: PunBB 1.2.13

Thnx!
Updated ... still within the 24h limit I've set for myself wink

Re: PunBB 1.2.13

The newsletter is going out as we speak.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

17

Re: PunBB 1.2.13

Got it, thanks! Very humble post, thumbs up for that, too. smile

Aftonbörsens skapare. Var med och starta något roligt och stort du med!

18

Re: PunBB 1.2.13

GOOD job, Rickard! Updated live with changed files only - as always: Works like a charm.

New Friendly web-shop! • SO happy with PunBB! • Now punBB 1.4.x on ALL forums (won't tell how many or their addresses to avoid spam-regs)

Re: PunBB 1.2.13

Hey ONE QUESTION!!! I would like to do the update from 1.2.12 to the new one but I have done a lot of changes and added a lot of mods and themes to the one 1.2.12. When I do the update all of that is going to change is there a way to upgrade the PunBB 1.2.12 to the 1.2.13 and have the same settings as before??? or do I have to do everything again?

Re: PunBB 1.2.13

greatcan, look at this page: http://punbb.org/download/hdiff/hdiff-1 … .2.13.html

You just need to add the first set of blue lines and change the first set of green lines.

Re: PunBB 1.2.13

guardian 34
thanks!!

22

Re: PunBB 1.2.13

Thanks. smile

Hmmm.

23 (edited by Jasoco 2006-09-28 00:21)

Re: PunBB 1.2.13

Doesn't work. If I put it in, the Admin Options page gives an error until I remove it. Same thing happened when I tried to upgrade from 11 to 12. Errors in most files.

So I just gave up.

I have a weird highly modified version of 1.2.11 on my forum. So I have to manually update via the Difference logs each time.
http://www.jasoco.net/geekpub/index.php

Re: PunBB 1.2.13

What error does it give? And can you paste a copy of your admin options page (with the change put in) so we can see it?

25

Re: PunBB 1.2.13

Good, "I'm a moron" release finally

[img]http://www.chemicalfusion.net/jords/eddieb.jpg[/img]