• From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Topic: PunBB 1.2.4

It's that time again. I had hoped to not have to release an update for a while, but security in web applications is a tricky thing. Nevertheless, I'm happy to announce the release of PunBB 1.2.4. This release has been made to remedy a few security vulnerabilities (primarily an XSS bug in profile.php) as well as fix a few minor glitches and annoyances.

Thanks to smartys for reporting most of the bugs fixed in this release and for reporting security vulnerabilities directly to me AND giving me due time to fix/release. I wish I could say the same regarding some of the other bugs. If you find a vulnerability in PunBB, please e-mail it to me. Posting it directly to various "security bulletins" only makes life more difficult for me and for all PunBB users. I have no problem with PunBB vulnerabilities showing up on e.g. Bugtraq, but only if there is a bugfix release available at the time it is posted.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.4

Upgrading time, goodie smile
btw Rickard: I just did some looking up on the bug tracking sites. It seems John Gumbell deserves the credit for the profile.php bug and null activation keys, he found it in 1.2.1 wink

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.4

Which profile.php bug?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

4 Reply by Smartys (edited by Smartys 2005-03-18 23:16)

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.4

The one that allowed you to set a user's password to '' or NULL, can't remember which

http://seclists.org/lists/bugtraq/2005/Feb/0499.html

A remote attacker without an account can set the password
of any user on the system to NULL, effectivley shuting
them out of the system.

Very interesting combo that made (with the other one in profile.php he posted there)

5 Reply by dot

  • dot
  • Member
  • Offline
  • From: Rocky Mountains
  • Registered: 2004-07-30
  • Posts: 31

Re: PunBB 1.2.4

Is it safe to overwrite the new style/oxygen.css and oxygen_cs.css files with the old ones from version 1.23?

I always have to ask about these file with each update. Is there a way for me to find out on my own?

6 Reply by Smartys (edited by Smartys 2005-03-18 23:34)

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.4

Compare the files in some manner?
(I don't think there were CSS changes for this version)

Lemme check something...

Edit: It appears that if you download the "changed files only" and there's a stylesheet there, there was a change smile

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: PunBB 1.2.4

there are no css changes you can check the hdiff on the download page

FluxBB.
Connorhd.co.uk.

Connorhd's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.4

Mmm, that too

9 Reply by Ataxy

  • Ataxy
  • Senior Member
  • Offline
  • From: Montreal,Canada
  • Registered: 2004-06-07
  • Posts: 287

Re: PunBB 1.2.4

oh no and me who had just finish reinstalling all the mods

Ataxy's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.4

hdiffs are wonderful for that case tongue

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: PunBB 1.2.4

Oh, Rickard: you might want to word the announcement box a little differently. It's been the same since 1.2.2 and, frankly, if I didn't have an account and were just checking, I might miss it tongue

12 Reply by Ataxy

  • Ataxy
  • Senior Member
  • Offline
  • From: Montreal,Canada
  • Registered: 2004-06-07
  • Posts: 287

Re: PunBB 1.2.4

Smartys wrote:

hdiffs are wonderful for that case tongue

yeah i guess ill go true but i prefer those txt file that you open up and it says "open blahblah.php", "go to line 111", "after add line of code" cuz those hdiff page are often bugging me with there huge width

Ataxy's Website

  • From: Bedford, VA, USA
  • Registered: 2005-02-04
  • Posts: 253

Re: PunBB 1.2.4

do you have the changeset for 1.2.4?

shinko_metsuo's Website

14 Reply by Ataxy

  • Ataxy
  • Senior Member
  • Offline
  • From: Montreal,Canada
  • Registered: 2004-06-07
  • Posts: 287

Re: PunBB 1.2.4

wow there was less to change then i tought thx for the good work there Rickard

Ataxy's Website

15 Reply by Rod

  • Rod
  • Senior Member
  • Offline
  • From: Rouen, France
  • Registered: 2004-07-19
  • Posts: 591

Re: PunBB 1.2.4

I cry ....

Waiting 1.3 ...

smile

http://www.sortons.net
http://www.fantasya.net

Rod's Website

16 Reply by Ataxy

  • Ataxy
  • Senior Member
  • Offline
  • From: Montreal,Canada
  • Registered: 2004-06-07
  • Posts: 287

Re: PunBB 1.2.4

dont cry whe are all waiting well actualy i am quite interested at seeing v29.3 lol

Ataxy's Website

17 Reply by subigo

  • Registered: 2005-03-01
  • Posts: 37

Re: PunBB 1.2.4

Forgive me if this is a stupid question...

But right now I am running version PunBB 1.2.2 - I want to upgrade to 1.2.4, but I have a lot of mods that I dont want to overwrite. So I am going to manually do the changes with the information from the Hdiff file.... My question is this:

Do I first need to follow the changes from 1.2.2 > 1.2.3? Or can I just skip straight to the Hdiff file for 1.2.4? Sorry if it's a stupid question, I just dont want to do any work that doesnt need to be done.

Thanks

FREE web hosting: www.subnixus.com

subigo's Website

  • From: Denver, CO
  • Registered: 2004-04-06
  • Posts: 43

Re: PunBB 1.2.4

I'd compare 1.2.4 with your modded version and make changes as necessary.

alexkingorg's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.4

subigo: Just use the 1.2.2 to 1.2.4 hdiff or patch. You can find it in the hdiff directory by browsing the download archive.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.4

Smartys: You were right about the profile.php bug. I must have forgotten about it in 1.2.2 and 1.2.3. Very strange. Oh well, it's closed now smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2005-02-28
  • Posts: 51

Re: PunBB 1.2.4

And for 1.3? (I'm using it) how can I downgrade from 1.3 to 1.2.4?

Sorry for my french english.
GT4 Club driver France & Forum - Lingerie.

Romuald's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.4

Romulald: You can't. Well, you can, but you'd have to do it manually. PunBB 1.3 hasn't even been released.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

23 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: PunBB 1.2.4

Rickard wrote:

PunBB 1.3 hasn't even been released.

I was looking at the timeline: http://dev.punbb.org/timeline

How can we tell what made it into 1.2.4 and what's still waiting on 1.3?

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: PunBB 1.2.4

hcgtv: Clicking at the individual changesets reveals whether they are applied to trunk (1.2.*) or the 1.3 branch.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2005-03-15
  • Posts: 3

Re: PunBB 1.2.4

wow, v1.2.4 already!!! couldn't believe that. Anyway, I am a new PunBB user. I migrate from phpBB to PunBB and have v1.2.2. I decided to upgrade my v1.2.2 to 1.2.4 but I am getting confused here. Will I lost my members if I upgrade the older version without backup? Jeee:) please, don't laugh at me I am new in PunBB world.