Re: PunBB 1.2.15

mi wrote:

Changelog:

*  Beefed up the referrer check in admin/options.

What is this?

Before, the referrer check (the check used to make sure your forms are being submitted from a legitimate page) for that page was more lax than the one used in other pages (because the base URL could be set on the page). For security reasons, the referrer check there is now more strict

27

Re: PunBB 1.2.15

Thanks You, Rickard.

just finished the hdiff fun !

Re: PunBB 1.2.15

tomekf wrote:

I have question about index in table online. Now phpmyadmin says:

UNIQUE and INDEX keys should not both be set for column `user_id`

Is it correct ?

Seems like that PMA's bug: http://sourceforge.net/tracker/index.ph … tid=377408

Re: PunBB 1.2.15

Can someone explain to us why the <pun_include "foobar.php"> in the footer.php has desapeared ?

Re: PunBB 1.2.15

foxmask wrote:

Can someone explain to us why the <pun_include "foobar.php"> in the footer.php has desapeared ?

http://dev.punbb.org/changeset/937

31 (edited by Mariwal 2007-04-12 12:36)

Re: PunBB 1.2.15

Hello, I'm new, I'm using 1.2.14 and I install a lot of mods. I read the Best way, is run the path files to update to 1.2.15.

Please I read the Instructions how to path, but I use windows, how I make this:

"Then, issue the following command in your shell:

patch -ul -d [punbb_dir] -p2 < [patch_file]"


REALY sorry if this is a newbie question, I alread search in foruns for the "path" thing and dond find.

OBS: Thank you for PunBB, I Install all forums listed in opensourcecms.com in my localhost, and PunBB is the best, I 'm using PuBB in my all sites. smile

Re: PunBB 1.2.15

You might want to install a unix shell and env emulation, that *might* work. Like Cywgin.

If not, by hand with the hdiff.

Re: PunBB 1.2.15

Mariwal wrote:

Please I read the Instructions how to path, but I use windows, how I make this:
"Then, issue the following command in your shell:
patch -ul -d [punbb_dir] -p2 < [patch_file]"

with Putty ssh
http://www.chiark.greenend.org.uk/~sgta … nload.html

34 (edited by Mariwal 2007-04-12 18:20)

Re: PunBB 1.2.15

Thank you Jérémie and spytrdr smile


UPDATE - I discovered that my server dont support acess vial shell (security reasons)

Well no I have to do this by hdiff... ONE question: for update is just follow all steps from hdiff? Or I need to do something else?

Thanks again smile

UPADATE again smile Now, I read the docs heheheheh smile need to run a script update in extras smile

35

Re: PunBB 1.2.15

Does this fix the "PunBB <= 1.2.14 Remote Code Execution Exploit" in search.php?action=show_new that was released recently?

36 (edited by thegleek 2007-04-12 20:16)

Re: PunBB 1.2.15

tomekf wrote:

When Hdiff will be ready ? I need to update my forums manually roll

yes., hdiff ftw. this is the MAIN reason why i absolutely LOVE punbb. my forums are -so- mega-modified, that any instance of an upgrade would downright kill it. hdiff, while a tedious process, it works 100% smoothly with every upgrade... kudos to the punbb team for that!

~thegleek

Re: PunBB 1.2.15

MyBestBB premod version updated to punbb 1.2.15 ; this diff is the first to ask me so much work
( 20 mods added makes it harder to integrate . . . )
Diff is here http://trac.ww7.be/trac.ww7.be/changeset/26 comments welcome on http://mybestbb.ww7.be/

Re: PunBB 1.2.15

e- wrote:

Does this fix the "PunBB <= 1.2.14 Remote Code Execution Exploit" in search.php?action=show_new that was released recently?

Yes, that specific exploit takes advantage of 3 vulnerabilities in versions <= 1.2.14 but requires the site to be running a somewhat out of date version of PHP, register_globals to be on, ini_get to be disabled (or stopped from working properly), and a version of MySQL >= 4.1. Any sites do match those criteria should be updated ASAP.

Re: PunBB 1.2.15

Thanks, Rickard and the Team!

Took me a couple of hours (I have a lot of mods), but it is nice to know I have the most secure site possible.

Keep up the good work.

Re: PunBB 1.2.15

I think I found a typo on the new version.

in include/functions.php, line 1070, shouldn't:

if ($register_globals === "" || $register_globals === "0" || strtolower($register_globals === "off"))

be changed to:

 if ($register_globals === "" || $register_globals === "0" || strtolower($register_globals) === "off")

e.g. we want to pass $register_globals to strtolower, not the result of comparing it with "off".

41

Re: PunBB 1.2.15

I've got a question about the following change:

Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.

I have a PunBB integrated in a custom CMS and all the scripts use an object $db for database access. Almost the same as PunBB's one, but not exchangable. My $db is created in the include files, and this used to work because this was done in footer.php, after all PunBB's database queries were done. In the new version this happens in header.php, so the CMS's $db overwrites PunBB's CMS.
I've changes the include code back from header.php to footer.php (with the extension check), but what are the risks of having it there?

Re: PunBB 1.2.15

505 wrote:

I've got a question about the following change:

Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.

I have a PunBB integrated in a custom CMS and all the scripts use an object $db for database access. Almost the same as PunBB's one, but not exchangable. My $db is created in the include files, and this used to work because this was done in footer.php, after all PunBB's database queries were done. In the new version this happens in header.php, so the CMS's $db overwrites PunBB's CMS.
I've changes the include code back from header.php to footer.php (with the extension check), but what are the risks of having it there?

With an XSS vulnerability, a malicious user could execute any file in the include/user directory with those file endings as PHP. So if you also had an upload form somewhere where the directory could be manipulated, someone could potentially execute arbitrary PHP if they found an XSS vulnerability in PunBB.

43

Re: PunBB 1.2.15

Jérémie thank you for information. Now I don't afraid to change indexes on online table smile

Darmowe forum - Polish free forum hosting

Re: PunBB 1.2.15

hawaiian717 wrote:

I think I found a typo on the new version.

You're absolutely correct. Luckily, this won't have any adverse effects other than if $register_globals is set to 'Off' or 'OFF' (as compared to 'off'), the unregister_globals code will execute even thought it might not be necessary.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.15

Cool update! All the old bags are fixed.

46

Re: PunBB 1.2.15

Forum updated ! Thanks the team smile

47

Re: PunBB 1.2.15

Thanks for perfect job!
Where I can read fully about this: "Easy to administrate and moderate"

48

Re: PunBB 1.2.15

Smartys wrote:
505 wrote:

I've got a question about the following change:

Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.

I have a PunBB integrated in a custom CMS and all the scripts use an object $db for database access. Almost the same as PunBB's one, but not exchangable. My $db is created in the include files, and this used to work because this was done in footer.php, after all PunBB's database queries were done. In the new version this happens in header.php, so the CMS's $db overwrites PunBB's CMS.
I've changes the include code back from header.php to footer.php (with the extension check), but what are the risks of having it there?

With an XSS vulnerability, a malicious user could execute any file in the include/user directory with those file endings as PHP. So if you also had an upload form somewhere where the directory could be manipulated, someone could potentially execute arbitrary PHP if they found an XSS vulnerability in PunBB.

I don't quite understand what the real danger is. If there was a wrong upload forum and someone could upload  a PHP file to the /include/user directory, this would is still not included, unless also some template is modified. And if a hacker could do that, it would also be possible to directly modify some of PunBB's files. Or am I missing something?

49

Re: PunBB 1.2.15

Let's say an attacker managed to put <pun_include "backdoor.php"> into his post somehow. This tag would be copied verbatim into the page when the main site content was parsed. So, if PunBB would look for pun_include tags after parsing the main site, it would find the <pun_include "backdoor.php"> from his post and execute it.

So if someone finds a way to insert his own HTML into your site, he will be able to execute arbitrary files from your include directory.

50

Re: PunBB 1.2.15

This forum is soooo refreshing. It has the cleanest code of any forum I've skinned, which includes IPB, phpBB and more lesser known ones than I can remember. I'll invariably get to a point in skinning when I have to edit some hard coding until I'm think "My God, what a mess!" Not so here. PunnBB is like a bowel movement after being constipated for a month. Ahhhhhh......

Congrats on a job well done.