Topic: PunBB 1.0.1
A cross site scripting issue involving the img tag and client-side scripting has been discovered in PunBB 1.0. The issue has been resolved in PunBB 1.0.1 which can now be downloaded from the download page. Apart from the security fix, PunBB 1.0.1 includes the following changes:
- Fixed moderator username not being updated in the forum moderator list when he/she changes his/hers username (thanks Magoo!).
- Replaced all calls to htmlspecialchars() with pun_htmlspecialchars(). The function is identical to the PHP version but doesn't translate &#xxxx style entities. This way a lot of non ISO-8859-1 charsets will still be viewable regardless of the Content-Type meta tag.
- Implemented workaround for searching in multibyte character text. I'm not 100% sure it works, but it should at least work better than before.
- Added operating system to the admin index page statistics.
- Added named anchors to the different help sections in help.php. Links to the help document from other scripts now point directly to the section of interest. Thanks to Frank H for the suggestion!
- Removed the language choice from the install script. PunBB will be distributed with the english language pack only. Other languages will have to be downloaded from the website.
- Fixed typo in swedish language file for delete.php (thanks Grillcliff!).
- Fixed error on admin index page when using "exotic" characters in the database name.
As usual, update instructions can be found in docs/install.html.
A big thanks goes out to frog-m@n from http://www.phpsecure.info/ who discovered the vulnerability and was kind enough to give me due time to fix it. I owe you one man! :)