• From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Topic: PunBB 1.2.13

Yesterday, I posted about the supposed "poison NULL byte vulnerability". I ranted on about how PunBB wasn't vulnerable and how I disliked the way vulnerability databases worked. Guess what? I was wrong! Through the help of a very nice editor at CVE, I was able to get in touch with the researcher behind the report and he clarified the issue for me. I had completely misunderstood what the vulnerability was about. Turns out I was wrong both on the vulnerability and in my generalization of how bad vulnerability databases work. I'm sorry for that.

So, today I have the pleasure of announcing PunBB 1.2.13. A release I've internally dubbed the "I'm a moron" release. PunBB 1.2.13 deals with the NULL byte injection vulnerability and adds support for HttpOnly cookies. The NULL byte injection is only exploitable by administrators so there's no need to rush. Nevertheless, I recommend that everyone upgrade.

Small note: If you have a look at the patch and the hdiff for this release, you'll notice there are what appears as non-existent changes in the unregister_globals() function. Nevermind these. It's just an update to get rid of some Windows style linebreaks.

Over and out.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: TX, US
  • Registered: 2004-09-28
  • Posts: 46

Re: PunBB 1.2.13

Thank you for the update.  I had noticed it on the download page, but didn't see it announced yet.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.13

One note about the NULL byte injection: it requires Administrator level access to be taken advantage of.

And I'd like to apologize as well. While this whole incident was taking place (and while we still thought the vulnerability was a fake), I was emailing the various advisory sites claiming that the vulnerability was a fake. They were all very nice and responded in a timely fashion and I feel bad for taking up their time when it turned out I was wrong tongue

4 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PunBB 1.2.13

Will you be sending out announcements?

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • From: Moscow
  • Registered: 2006-08-22
  • Posts: 21

Re: PunBB 1.2.13

Woo-hoo! Great!

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

Michael aka Emilien's Website

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: PunBB 1.2.13

Good to see smile

7 Reply by Ludo

  • Ludo
  • Senior Member
  • Offline
  • From: France, Poitiers
  • Registered: 2004-06-23
  • Posts: 527

Re: PunBB 1.2.13

Hi,

What about the newsletter? I haven't received any notification for that release.

Ludo,

Actualité haut débit en lien avec Free Adsl
Programme télé TNT

Ludo's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.13

Ludo wrote:

Hi,

What about the newsletter? I haven't received any notification for that release.

Ludo,

I'll try to get that out tonight. I can't send it from home anymore, so I'll have to write up some script to do it on the server.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

9 Reply by Bibby (edited by Bibby 2006-09-27 14:18)

  • From: China
  • Registered: 2006-09-27
  • Posts: 46

Re: PunBB 1.2.13

I installed punbb-1.2.12 yesterday, but i found 1.2.13 was released this morning sad ( or smile ?)

A new forum powered by punbb-1.2.13(Chinese):
http://www.bsdlife.org/bbs

Thanks to punbb team smile

Bibby's Website

10 Reply by savasweb (edited by savasweb 2006-09-27 14:27)

  • Registered: 2005-02-28
  • Posts: 11

Re: PunBB 1.2.13

1.2.12  to 1.2.13  code changes ? thank you punbb team smile

11 Reply by guardian34 (edited by guardian34 2006-09-27 15:55)

  • Registered: 2006-06-05
  • Posts: 410

Re: PunBB 1.2.13

savasweb wrote:

1.2.12  to 1.2.13  code changes ?

Rickard linked to them in the first post.

Edit: The changes are also linked in the downloads page.

  • Registered: 2006-05-04
  • Posts: 326

Re: PunBB 1.2.13

When whill punbb 1.2.13 kom on Norwegian???

PunBB, the FluxBB of tomorrow - today!
  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.13

grudon66: It is available in Norwegian. Just use the language pack from the download page.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2006-05-04
  • Posts: 326

Re: PunBB 1.2.13

Ok,Thanx,Wow PunBB 1.2.13 is great big_smile

PunBB, the FluxBB of tomorrow - today!
  • Frank H
  • Former PunBB Developer
  • Offline
  • Registered: 2003-03-16
  • Posts: 1,423

Re: PunBB 1.2.13

Thnx!
Updated ... still within the 24h limit I've set for myself wink

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.13

The newsletter is going out as we speak.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

17 Reply by Limber

  • From: Linköping, Sweden
  • Registered: 2005-07-20
  • Posts: 93

Re: PunBB 1.2.13

Got it, thanks! Very humble post, thumbs up for that, too. smile

Aftonbörsens skapare. Var med och starta något roligt och stort du med!

Limber's Website

18 Reply by mi

  • mi
  • Member
  • Offline
  • From: Åland Islands
  • Registered: 2004-10-13
  • Posts: 91

Re: PunBB 1.2.13

GOOD job, Rickard! Updated live with changed files only - as always: Works like a charm.

New Friendly web-shop! • SO happy with PunBB! • Now punBB 1.4.x on ALL forums (won't tell how many or their addresses to avoid spam-regs)

mi's Website

  • Registered: 2006-09-21
  • Posts: 13

Re: PunBB 1.2.13

Hey ONE QUESTION!!! I would like to do the update from 1.2.12 to the new one but I have done a lot of changes and added a lot of mods and themes to the one 1.2.12. When I do the update all of that is going to change is there a way to upgrade the PunBB 1.2.12 to the 1.2.13 and have the same settings as before??? or do I have to do everything again?

  • Registered: 2006-06-05
  • Posts: 410

Re: PunBB 1.2.13

greatcan, look at this page: http://punbb.org/download/hdiff/hdiff-1 … .2.13.html

You just need to add the first set of blue lines and change the first set of green lines.

  • Registered: 2006-09-21
  • Posts: 13

Re: PunBB 1.2.13

guardian 34
thanks!!

22 Reply by Rich

  • Rich
  • Rich
  • PunBB Donor
  • Offline
  • From: Göteborg, Sweden
  • Registered: 2002-10-13
  • Posts: 57

Re: PunBB 1.2.13

Thanks. smile

Hmmm.

23 Reply by Jasoco (edited by Jasoco 2006-09-28 00:21)

  • From: Doylestown, PA
  • Registered: 2006-01-15
  • Posts: 41

Re: PunBB 1.2.13

Doesn't work. If I put it in, the Admin Options page gives an error until I remove it. Same thing happened when I tried to upgrade from 11 to 12. Errors in most files.

So I just gave up.

I have a weird highly modified version of 1.2.11 on my forum. So I have to manually update via the Difference logs each time.
http://www.jasoco.net/geekpub/index.php

Jasoco's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.13

What error does it give? And can you paste a copy of your admin options page (with the change put in) so we can see it?

25 Reply by wfox

  • wfox
  • Member
  • Offline
  • Registered: 2005-11-19
  • Posts: 14

Re: PunBB 1.2.13

Good, "I'm a moron" release finally

[img]http://www.chemicalfusion.net/jords/eddieb.jpg[/img]