Which it does...
6,426 2005-11-17 11:28
Re: Mark topics as read v1.1 (92 replies, posted in PunBB 1.2 modifications, plugins and integrations)
6,427 2005-11-17 11:26
Re: Forum Description (14 replies, posted in PunBB 1.2 bug reports)
This was a fix for 1.2.6 (which I believe was put into 1.2.7)
What are you talking about?
6,428 2005-11-16 23:52
Re: INFO: Bad HTTP_REFERER (180 replies, posted in PunBB 1.2 troubleshooting)
lj wrote:
Smartys wrote:http://namb.la/popular/tech.html
#9 on that listI'm about 90% through getting my head around this totally, so could still be wrong.
It looks like the above is only possible because the 'attacker' was able to run Javascript code in the context of the MySpace site. As a result, this code could know any cookie information it needed, and create an HTTP GET request supplying that cookie info in order to obtain the 'secret' token MySpace include in the form.
If I merely follow a link from my PunBB forum - even while logged in - to a malicious site, that site can send an HTTP request to my PunBB forum admin pages, but where will it get the cookie from? Without the cookie, PunBB won't give it the secret token; it can make my browser submit to the PunBB admin section, but the submission will lack the secret token, and nothing will happen.
You're probably right, it's probably only possible because they're on the same domain (well, almost, but the cookie is set to .myspace.com).
lj wrote:
Edit
The reason why I'm not keen on all this referrer checking is because I long since learned that you can't rely on the referrer to be there when you want it, and it's just too easy to falsify.
The MySpace exploit uses XMLHTTPRequest to do all the 'clever' stuff... and guess what, one of the options you have is to set any HTTP header. So, you could just make up an HTTP Referrer.
Try this URL or Google for xmlhttprequest:
http://en.wikipedia.org/wiki/XMLHTTP
Yes, you could
But, like you said, he was in the context of the MySpace site. Like #8 said: "No big deal, however XML-HTTP won't allow GETs/POSTs to sites with a different domain name". So, the request wouldn't work. You might be able to do it using XSS vulnerabilties, but if there's an XSS vulnerability, you can also grab cookie values directly 
6,429 2005-11-16 17:01
Re: change the date of a post (6 replies, posted in PunBB 1.2 discussion)
posted in the posts table
It's a unix timestamp
6,430 2005-11-16 17:00
Re: Hidden groups (6 replies, posted in Feature requests)
Erm, that's exactly what forum reading permissions do? 
If they can't read it, they don't know it exists 
6,431 2005-11-16 15:35
Re: Some Newbie How-To's Questions (16 replies, posted in PunBB 1.2 troubleshooting)
Check phpinfo(), see if allow_url_fopen is enabled
6,432 2005-11-16 11:36
Re: Some Newbie How-To's Questions (16 replies, posted in PunBB 1.2 troubleshooting)
1. Check out extern.php
2. You would add the link to the navbar on top using the Additional Navlinks. The "template", I assume, is the basic structure of the page: you just fill it with data
6,433 2005-11-16 00:20
Re: avatar directory (6 replies, posted in PunBB 1.2 troubleshooting)
Mod the function in profile.php that uploads avatars so that one forum appends something to the filename?
6,434 2005-11-15 22:41
Re: Fatal error :( (6 replies, posted in PunBB 1.2 troubleshooting)
I can't see the contents of those files
And tbh, the best way to do it (assuming that's your only mod) is to upload a clean copy of 1.2.10 and remod it
6,435 2005-11-15 22:33
Re: Fatal error :( (6 replies, posted in PunBB 1.2 troubleshooting)
Looks like you added the Mark topics as read mod but replaced your functions.php file
2 ideas:
1. Upload a clean copy of PunBB 1.2.10, reapply the mod (minus the DB part)
2. Simply remod the stuff you wrote over
6,436 2005-11-15 17:54
Re: Sub-domains and logins (13 replies, posted in PunBB 1.2 troubleshooting)
I have the same with Windows XP, IE 6.0
6,437 2005-11-15 16:17
Re: INFO: Bad HTTP_REFERER (180 replies, posted in PunBB 1.2 troubleshooting)
http://namb.la/popular/tech.html
#9 on that list
6,438 2005-11-15 02:11
Re: Problem please help iam new. (5 replies, posted in PunBB 1.2 troubleshooting)
supernova_04 wrote:
thanks Jesus . I was waiting for help for a long time.,.....
You waited 40 mins :-/
6,439 2005-11-15 00:09
Re: Cookies and normal logout (6 replies, posted in PunBB 1.2 troubleshooting)
Try changing the cookie name as well then: people will all be forced to login again
6,440 2005-11-15 00:08
Re: INFO: Bad HTTP_REFERER (180 replies, posted in PunBB 1.2 troubleshooting)
lj wrote:
Rickard wrote:Aha. Maybe that was in a different topic.
Without the referrer check, it would be possible for a malicious user to construct a web page somewhere and then trick an admin or a moderator to visit that page. On the page, a hidden form would be posted via Javascript that posts to a page in the forums (an admin page or maybe someones profile). It would be easy to e.g. upgrade a user to admin status. However, with the referrer check, this wouldn't be allowed because the forums would check the referrer and notice that the form was posted from somewhere outside the forums.
I've been thinking about this problem.
I haven't tested it, but... the above scenario seems to be possible because when our hapless admin posts a form hosted on rogue.example.net site to punbb.example.com, their browser will helpfully send back cookies related to punbb.example.com and not rogue.example.net; the session will be valid, the form submission will go through. There's nothing in the form itself to validate whether it's genuine or not.
So, on the genuine admin page forms, why not output the session id in a hidden form field? This can then be checked with the form submission. The rogue site can't know in advance what session id to hack up in their nasty little form - and if they do know, then they don't need the form in the first place. You're already sending these cookies out in the clear in the HTTP headers, so having an admin being able to see it via View Source is no worse than being able to see it via View Cookies.
A variant on the above is to generate (and track) some new token especially for the purpose, perhaps cryptographically related to the session id. But I'm not sure that's necessary.
I think this would be less problematic than the referrer checking... which just bit me because I have more than one way of getting into my test site.
I saw someone get around a MySpace requirement just like this. If you want, I'll find the page of how they did it
To be clear, "this" means a hidden form field that needed to be passed
6,441 2005-11-14 11:37
Re: A demo for potential users? (2 replies, posted in PunBB 1.2 discussion)
It does not have post approval moderation: that is going to be a feature in 1.3
6,442 2005-11-14 11:32
Re: login page dosent work (5 replies, posted in PunBB 1.2 troubleshooting)
I can't even load that site, it just times out
6,443 2005-11-14 11:30
Re: phpnuke -> punbb (32 replies, posted in PunBB 1.2 troubleshooting)
It's right on the download page...
6,444 2005-11-14 11:29
Re: Manually adding new members (2 replies, posted in PunBB 1.2 troubleshooting)
6,445 2005-11-14 00:57
Re: Converting from IPB with subforums? (10 replies, posted in PunBB 1.2 discussion)
OK, one more question
You have, say, this: http://www.highend3d.com/boards/index.php?showforum=286
Then you have this: http://www.highend3d.com/boards/index.php?showforum=307
Then you have this: http://www.highend3d.com/boards/index.php?showforum=314
Then you have this: http://www.highend3d.com/boards/index.php?showforum=315
Then you have this: http://www.highend3d.com/boards/index.php?showforum=316
And finally you have this: http://www.highend3d.com/boards/index.php?showforum=317
Now, is 286's parent_id -1?
And are you certain the subforum mod supports subforums to that degree (I've never used it or looked at the code, so I can't tell)
6,446 2005-11-14 00:16
Re: Converting from IPB with subforums? (10 replies, posted in PunBB 1.2 discussion)
Mmm, this might take a bit of work
Sec
Do you have more than 1 category?
6,447 2005-11-13 23:40
Re: Converting from IPB with subforums? (10 replies, posted in PunBB 1.2 discussion)
Mmm, that would be a good idea
smartys@gmail.com
6,448 2005-11-13 23:15
Re: [Release] PunBB Backup v1.0 (31 replies, posted in PunBB 1.2 modifications, plugins and integrations)
Use the DB management plugin
6,449 2005-11-13 23:12
Re: Converting from IPB with subforums? (10 replies, posted in PunBB 1.2 discussion)
You can use the patch file or the hdiff
and a few hundred subforums? :-/
Let me check out the convertor code, see if there's a hack
Edit: Since I know very little of the DB structure of IPB, do you have "categories" and "forums", with forums being subforums?
6,450 2005-11-13 23:02
Re: Converting from IPB with subforums? (10 replies, posted in PunBB 1.2 discussion)
I'd do a test conversion on a backup of the forum first, to see how it converts.
What should happen is that every forum will become a normal forum. Then, install the sub forum mod and turn the appropriate forums back into subforums