I've got a question about the following change:
Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.
I have a PunBB integrated in a custom CMS and all the scripts use an object $db for database access. Almost the same as PunBB's one, but not exchangable. My $db is created in the include files, and this used to work because this was done in footer.php, after all PunBB's database queries were done. In the new version this happens in header.php, so the CMS's $db overwrites PunBB's CMS.
I've changes the include code back from header.php to footer.php (with the extension check), but what are the risks of having it there?
With an XSS vulnerability, a malicious user could execute any file in the include/user directory with those file endings as PHP. So if you also had an upload form somewhere where the directory could be manipulated, someone could potentially execute arbitrary PHP if they found an XSS vulnerability in PunBB.
I don't quite understand what the real danger is. If there was a wrong upload forum and someone could upload a PHP file to the /include/user directory, this would is still not included, unless also some template is modified. And if a hacker could do that, it would also be possible to directly modify some of PunBB's files. Or am I missing something?