Please, look through the list for the bug you have found. If there is no one, then add it.

• Moderation bugs:
  • Incorrect hidden field value on actions with multiple topics (fixed in [898], hotfix in process).
  • XSS vulnerability, reported by PHPLizardo (fixed in [909], hotfix hotfix_13_moderate_xss released).
  • Replies and Views are exchanged in moderate.php, reported by coordinator (fixed in [932]).
  • There is no link to the reports page in the admin menu for moderators, reported by 8k84 (fixed in [940]).
• Markup and language file issues (no hotfixes will be released if the bug results no errors):
  • Incorrect markup of the “download latest version” link (fixed).
  • Missing language file entries for install.php, reported by coolhd (fixed in [891]).
  • Markup issues in the guest post form in post.php, reported by Adelf (fixed in [900]).
  • Markup issues in install.php (fixed in [901]).
  • Incorrect heading set in profile, reported by fantasma (fixed in [902]).
  • Underline is working as italics (post by User33, fixed in [922]).
  • Incorrect message you must copy/upload the file .htaccess from the extras directory in forum settings (topic by esupergood, fixed in [923]).
  • Make “new hotfixes” message more informative, see Forums topic by colak for details (fixed in [923]).
  • Breadcrumbs: Lack of link on topic subject ⇒ no topic permalink at all! (fixed in [924])
  • Wrong appearing of 'sticky' word in search results, reported by teva and User33 (fixed in [910] and [928]).

• Parser bugs
  • Incorrect quote tag parsing (reported by teva, fixed in [969]).
  • Incorrect URL handling (reported by 8k84, fixed in [970]).
• Sequrity issues (reported by Stefan Esser, hotfixes have been released):
  • possible XSS in login;
  • potential SQL-injections in admin/settings.php via configuration values;
  • potential SQL-injections at admin/users.php page.
• There is no ' class=“isactive”' in the Profile link in the main navigation menu (fixed in [964]).

• User count in user search results is displayed incorrect (reported by 8k84, fixed in [1065]).
• Messages in feeds are shown as they are stored in DB, without parsing (reported by alpha2zee, fixed in [1070]).
• Incorrect layout in viewforum.php when “Topic views” is disabled (reported by burina, fix by AracornRed in [1073]).
• Incorrect hooks positions (reported by Cereal, YonasH, Strofanto; fixed in [1068], [1079]).
• Markup issues and hooks location in moderate.php, search.php, viewforum.php ([1073], [1089] and [1092]).
• IE6 CSS issues (reported by Ishimaru Chiaki, 8k84, fixed in [1106] and [1113]).
• The usage of language pack at the final stage of installing process (reported by Dan_y2k, fixed in [1108]).
• Incorrect HTTP response code (503 instead 404) for non-existent pages when SEF is enabled (reported by commanche, fixed in [1118]).

• Inverse numbering of previous posts on post preview (reported by maststef, fixed in [1162]).
• Possible XSS vulnerability in profile.php on password and e-mail change (reported by Richard Sammet, fixed in [1164], hotfix hotfix_133_xss_attack_in_profile released).

• Seems like checking of csrf tokens does not involve correspondent timeout in a right way (fixed in [1325], fix by bedroom).
• One can't post in a forum if there is only post permission (reported by Cereal).
• Unsubscribe CSS issue: https://punbb.informer.com/forums/post/122868/#p122868
• Just after installing the 'online' table takes a lot of diskspace on some systems (for example, 1.6 Mb on PHP: 4.4.9, Accelerator: eAccelerator, DB: MySQL Standard 4.1.22; see also a topic on forums).
• Updating script (admin/db_update.php) issues?

• CSS & markup.
• Missing lang entries on language files.
• Correct path and alerts on install.
• Fixed typos and more.

• XSS vulnerabilities described on https://punbb.informer.com/forums/post/141236/#p141236
• Error with bans in admin/bans.php and profile.php
• Invalid closing tag described on issue #32.

We provide the details of some fixed security bugs here.

A topic title was not converted to HTML in forum moderation. A user could steal moderator's & administrator's session by injecting JavaScript in the topic title.

• Reported by PHPLizardo.
• Forum versions vulnerable: PunBB 1.3
• Vulnerability type: XSS
• Fixed in [909].
• Hotfix hotfix_13_moderate_xss released.

Password field value (set directly from POST-request) was not properly escaped, so that one could use it to execute JavaScript. CSRF confirm message would be displayed.

• Reported by Stefan Esser.
• Forum versions vulnerable: PunBB 1.3, PunBB 1.3.1.
• Vulnerability type: XSS
• Fixed in [962].
• Hotfix hotfix_131_xss_attack_in_login released.

The values of $_POST['order_by'] and $_POST['direction'] were escaped, but not logically checked before using in SQL query at the Administration ⇒ Users page. One could execute any SQL query via making administrator to send a POST-request (e.g. giving him a link to the specially formed page). CSRF confirm message would be displayed.

• Forum versions vulnerable: PunBB 1.3, PunBB 1.3.1.
• Reported by Stefan Esser.
• Vulnerability type: SQL injection
• Fixed in [963].
• Hotfix hotfix_131_sql_injection_in_admin_users released.

The values of configuration options were not checked before using in SQL query at Administration ⇒ Settings page. One could execute any SQL query via making administrator to send a POST-request (e.g. giving him a link to the specially formed page). CSRF confirm message would be displayed.

• Forum versions vulnerable: PunBB 1.3, PunBB 1.3.1.
• Reported by Stefan Esser.
• Vulnerability type: SQL injection
• Fixed in [965].
• Hotfix hotfix_131_sql_injection_in_admin_settings released.

• PunBB 1.3 hotfixes
• PunBB roadmap

• PunBB 1.3 bug reports forum in PunBB Forums.