Differences
This shows you the differences between the selected revision and the current version of the page.
punbb13:bugs 2008/12/12 16:58 | punbb13:bugs 2020/02/06 11:04 current | ||
---|---|---|---|
Line 5: | Line 5: | ||
* Moderation bugs: | * Moderation bugs: | ||
* Incorrect hidden field value on actions with multiple topics (fixed in [898], [[hotfixes|hotfix]] in process). | * Incorrect hidden field value on actions with multiple topics (fixed in [898], [[hotfixes|hotfix]] in process). | ||
- | * XSS vulnerability, reported by [[http://punbb.informer.com/forums/user/14266/|PHPLizardo]] (fixed in [909], [[hotfixes|hotfix]] [[http://punbb.informer.com/update/manifest/hotfix_13_moderate_xss.xml|hotfix_13_moderate_xss]] released). | + | * XSS vulnerability, reported by [[https://punbb.informer.com/forums/user/14266/|PHPLizardo]] (fixed in [909], [[hotfixes|hotfix]] [[https://punbb.informer.com/update/manifest/hotfix_13_moderate_xss.xml|hotfix_13_moderate_xss]] released). |
* Replies and Views are exchanged in moderate.php, reported by coordinator (fixed in [932]). | * Replies and Views are exchanged in moderate.php, reported by coordinator (fixed in [932]). | ||
* There is no link to the reports page in the admin menu for moderators, reported by 8k84 (fixed in [940]). | * There is no link to the reports page in the admin menu for moderators, reported by 8k84 (fixed in [940]). | ||
* Markup and language file issues (no [[hotfixes]] will be released if the bug results no errors): | * Markup and language file issues (no [[hotfixes]] will be released if the bug results no errors): | ||
- | * Incorrect markup of the "download latest version" link ([[http://punbb.informer.com/trac/changeset/888/punbb/trunk/admin/extensions.php|fixed]]). | + | * Incorrect markup of the "download latest version" link ([[https://punbb.informer.com/trac/changeset/888/punbb/trunk/admin/extensions.php|fixed]]). |
- | * Missing language file entries for install.php, reported by [[http://punbb.informer.com/forums/user/2639/|coolhd]] (fixed in [891]). | + | * Missing language file entries for install.php, reported by [[https://punbb.informer.com/forums/user/2639/|coolhd]] (fixed in [891]). |
* Markup issues in the guest post form in post.php, reported by Adelf (fixed in [900]). | * Markup issues in the guest post form in post.php, reported by Adelf (fixed in [900]). | ||
* Markup issues in install.php (fixed in [901]). | * Markup issues in install.php (fixed in [901]). | ||
- | * Incorrect heading set in profile, reported by [[http://punbb.informer.com/forums/topic/20290/problem-in-profile-change-password/|fantasma]] (fixed in [902]). | + | * Incorrect heading set in profile, reported by [[https://punbb.informer.com/forums/topic/20290/problem-in-profile-change-password/|fantasma]] (fixed in [902]). |
- | * Underline is working as italics ([[http://punbb.informer.com/forums/post/119506/#p119506|post by Garciat]], fixed in [922]). | + | * Underline is working as italics ([[https://punbb.informer.com/forums/post/119506/#p119506|post by User33]], fixed in [922]). |
- | * Incorrect message ''you must copy/upload the file .htaccess from the extras directory'' in forum settings ([[http://punbb.informer.com/forums/topic/20298/incorrect-warning-where-is-the-extras-folder-re-custom-urls/|topic by esupergood]], fixed in [923]). | + | * Incorrect message ''you must copy/upload the file .htaccess from the extras directory'' in forum settings ([[https://punbb.informer.com/forums/topic/20298/incorrect-warning-where-is-the-extras-folder-re-custom-urls/|topic by esupergood]], fixed in [923]). |
- | * Make "new hotfixes" message more informative, see [[http://punbb.informer.com/forums/post/119664/#p119664|Forums topic by colak]] for details (fixed in [923]). | + | * Make "new hotfixes" message more informative, see [[https://punbb.informer.com/forums/post/119664/#p119664|Forums topic by colak]] for details (fixed in [923]). |
* Breadcrumbs: Lack of link on topic subject => no topic permalink at all! (fixed in [924]) | * Breadcrumbs: Lack of link on topic subject => no topic permalink at all! (fixed in [924]) | ||
- | * Wrong appearing of 'sticky' word in search results, reported by [[http://punbb.informer.com/forums/topic/20292/all-topics-show-locked-in-show-recent-view-bug/|teva and Garciat]] (fixed in [910] and [928]). | + | * Wrong appearing of 'sticky' word in search results, reported by [[https://punbb.informer.com/forums/topic/20292/all-topics-show-locked-in-show-recent-view-bug/|teva and User33]] (fixed in [910] and [928]). |
===== PunBB 1.3.1 bugs ===== | ===== PunBB 1.3.1 bugs ===== | ||
* Parser bugs | * Parser bugs | ||
- | * Incorrect quote tag parsing (reported by [[http://punbb.informer.com/forums/topic/20399/wrong-quote-brakes-forum-layout/|teva]], fixed in [969]). | + | * Incorrect quote tag parsing (reported by [[https://punbb.informer.com/forums/topic/20399/wrong-quote-brakes-forum-layout/|teva]], fixed in [969]). |
- | * Incorrect URL handling (reported by [[http://punbb.informer.com/forums/topic/20396/minor-bug-in-parser/|8k84]], fixed in [970]). | + | * Incorrect URL handling (reported by [[https://punbb.informer.com/forums/topic/20396/minor-bug-in-parser/|8k84]], fixed in [970]). |
* Sequrity issues (reported by [[http://www.suspekt.org/|Stefan Esser]], hotfixes have been released): | * Sequrity issues (reported by [[http://www.suspekt.org/|Stefan Esser]], hotfixes have been released): | ||
* [[punbb13:bugs#possible_xss_in_login|possible XSS in login]]; | * [[punbb13:bugs#possible_xss_in_login|possible XSS in login]]; | ||
Line 30: | Line 31: | ||
===== PunBB 1.3.2 bugs ===== | ===== PunBB 1.3.2 bugs ===== | ||
- | * FIXME CSS bug in Firefox 1.5, see [[http://punbb.informer.com/forums/post/119723/#p119723|Forums topic by Garciat]] for details. | + | * User count in user search results is displayed incorrect ([[https://punbb.informer.com/forums/topic/21006/user-list-bug/|reported by 8k84]], fixed in [1065]). |
- | * FIXME Just after installing the 'online' table takes a lot of diskspace on some systems (for example, 1.6 Mb on PHP: 4.4.9, Accelerator: eAccelerator, DB: MySQL Standard 4.1.22; see also a [[http://punbb.informer.com/forums/topic/20394/database-size/|topic on forums]]). | + | * Messages in feeds are shown as they are stored in DB, without parsing ([[https://punbb.informer.com/forums/topic/21221/rss-items-html-parsing/|reported by alpha2zee]], fixed in [1070]). |
- | * FIXME Seems like checking of csrf tokens does not involve correspondent timeout in a right way. | + | * Incorrect layout in viewforum.php when "Topic views" is disabled (reported by [[https://punbb.informer.com/forums/topic/20413/incorrect-layout-in-viewforumphp-when-topic-views-is-disabled/|burina]], fix by AracornRed in [1073]). |
- | * FIXME Incorrect layout in viewforum.php when "Topic views" is disabled, reported by [[http://punbb.informer.com/forums/topic/20413/incorrect-layout-in-viewforumphp-when-topic-views-is-disabled/|burina]]. | + | * Incorrect hooks positions (reported by [[https://punbb.informer.com/forums/topic/21059/profile-hooks-not-run-in-certain-cases/|Cereal]], [[https://punbb.informer.com/forums/topic/20905/hooks-adding-new-users-permissions/|YonasH]], [[https://punbb.informer.com/forums/topic/20755/duplicated-hook/|Strofanto]]; fixed in [1068], [1079]). |
+ | * Markup issues and hooks location in moderate.php, search.php, viewforum.php ([1073], [1089] and [1092]). | ||
+ | * IE6 CSS issues (reported by [[https://punbb.informer.com/forums/topic/20871/contact-links-outside-the-page-layout-under-ie6-in-oxygen-fix-found/|Ishimaru Chiaki]], [[https://punbb.informer.com/forums/topic/21389/ordered-list-in-the-rules-text-problem/|8k84]], fixed in [1106] and [1113]). | ||
+ | * The usage of language pack at the final stage of installing process ([[https://punbb.informer.com/forums/topic/20517/2-issues-with-the-installer-of-132/|reported by Dan_y2k]], fixed in [1108]). | ||
+ | * Incorrect HTTP response code (503 instead 404) for non-existent pages when SEF is enabled ([[https://punbb.informer.com/forums/topic/21081/rewrite-nonexistent-page-returns-503-instead-of-404-code/|reported by commanche]], fixed in [1118]). | ||
+ | ===== PunBB 1.3.3 bugs ===== | ||
+ | * Inverse numbering of previous posts on post preview ([[https://punbb.informer.com/forums/topic/21632/inverse-numbering-of-previous-posts-when-writing-a-new-one/|reported by maststef]], fixed in [1162]). | ||
+ | * Possible XSS vulnerability in profile.php on password and e-mail change (reported by Richard Sammet, fixed in [1164], [[hotfixes|hotfix]] [[https://punbb.informer.com/update/manifest/hotfix_133_xss_attack_in_profile.xml|hotfix_133_xss_attack_in_profile]] released). | ||
+ | |||
+ | ===== PunBB 1.3.4 bugs ===== | ||
+ | * Seems like checking of csrf tokens does not involve correspondent timeout in a right way (fixed in [1325], [[https://punbb.informer.com/forums/post/128539/|fix by bedroom]]). | ||
+ | * FIXME One can't post in a forum if there is only post permission (reported by [[https://punbb.informer.com/forums/topic/21695/error-in-postphp-querry/|Cereal]]). | ||
+ | * FIXME Unsubscribe CSS issue: https://punbb.informer.com/forums/post/122868/#p122868 | ||
+ | * FIXME Just after installing the 'online' table takes a lot of diskspace on some systems (for example, 1.6 Mb on PHP: 4.4.9, Accelerator: eAccelerator, DB: MySQL Standard 4.1.22; see also a [[https://punbb.informer.com/forums/topic/20394/database-size/|topic on forums]]). | ||
* FIXME Updating script (''admin/db_update.php'') issues? | * FIXME Updating script (''admin/db_update.php'') issues? | ||
- | ===== Security issue details ===== | + | ===== PunBB 1.3.5 bugs ===== |
- | We provide the details of fixed security bugs here. | + | * CSS & markup. |
+ | * Missing lang entries on language files. | ||
+ | * Correct path and alerts on install. | ||
+ | * Fixed typos and more. | ||
- | FIXME Describe all the 1.3.* vulnerabilities here! | + | ===== PunBB 1.3.6 bugs ===== |
+ | * XSS vulnerabilities described on [[https://punbb.informer.com/forums/post/141236/#p141236]] | ||
+ | * Error with bans in admin/bans.php and profile.php | ||
+ | * Invalid closing tag described on issue [[https://github.com/punbb/punbb/issues/32|#32]]. | ||
+ | |||
+ | ===== Security issue details ===== | ||
+ | We provide the details of some fixed security bugs here. | ||
==== Possible XSS in moderate ==== | ==== Possible XSS in moderate ==== | ||
Line 47: | Line 70: | ||
* Vulnerability type: [[http://en.wikipedia.org/wiki/Cross-site_scripting|XSS]] | * Vulnerability type: [[http://en.wikipedia.org/wiki/Cross-site_scripting|XSS]] | ||
* Fixed in [909]. | * Fixed in [909]. | ||
- | * Hotfix [[http://punbb.informer.com/update/manifest/hotfix_13_moderate_xss.xml|hotfix_13_moderate_xss]] released. | + | * Hotfix [[https://punbb.informer.com/update/manifest/hotfix_13_moderate_xss.xml|hotfix_13_moderate_xss]] released. |
==== Possible XSS in login ==== | ==== Possible XSS in login ==== | ||
Line 55: | Line 78: | ||
* Vulnerability type: [[http://en.wikipedia.org/wiki/Cross-site_scripting|XSS]] | * Vulnerability type: [[http://en.wikipedia.org/wiki/Cross-site_scripting|XSS]] | ||
* Fixed in [962]. | * Fixed in [962]. | ||
- | * Hotfix [[http://punbb.informer.com/update/manifest/hotfix_131_xss_attack_in_login.xml|hotfix_131_xss_attack_in_login]] released. | + | * Hotfix [[https://punbb.informer.com/update/manifest/hotfix_131_xss_attack_in_login.xml|hotfix_131_xss_attack_in_login]] released. |
==== Potential SQL-injections at admin/users.php page ==== | ==== Potential SQL-injections at admin/users.php page ==== | ||
Line 63: | Line 86: | ||
* Vulnerability type: [[http://en.wikipedia.org/wiki/SQL_injection|SQL injection]] | * Vulnerability type: [[http://en.wikipedia.org/wiki/SQL_injection|SQL injection]] | ||
* Fixed in [963]. | * Fixed in [963]. | ||
- | * Hotfix [[http://punbb.informer.com/update/manifest/hotfix_131_sql_injection_in_admin_users.xml|hotfix_131_sql_injection_in_admin_users]] released. | + | * Hotfix [[https://punbb.informer.com/update/manifest/hotfix_131_sql_injection_in_admin_users.xml|hotfix_131_sql_injection_in_admin_users]] released. |
==== Potential SQL-injections in admin/settings.php via configuration values ==== | ==== Potential SQL-injections in admin/settings.php via configuration values ==== | ||
Line 71: | Line 94: | ||
* Vulnerability type: [[http://en.wikipedia.org/wiki/SQL_injection|SQL injection]] | * Vulnerability type: [[http://en.wikipedia.org/wiki/SQL_injection|SQL injection]] | ||
* Fixed in [965]. | * Fixed in [965]. | ||
- | * Hotfix [[http://punbb.informer.com/update/manifest/hotfix_131_sql_injection_in_admin_settings.xml|hotfix_131_sql_injection_in_admin_settings]] released. | + | * Hotfix [[https://punbb.informer.com/update/manifest/hotfix_131_sql_injection_in_admin_settings.xml|hotfix_131_sql_injection_in_admin_settings]] released. |
====== See also ====== | ====== See also ====== | ||
Line 78: | Line 101: | ||
====== Links ====== | ====== Links ====== | ||
- | * [[http://punbb.informer.com/forums/forum/70/punbb-13-bug-reports/|PunBB 1.3 bug reports]] forum in [[http://punbb.informer.com/forums/|PunBB Forums]]. | + | * [[https://punbb.informer.com/forums/forum/70/punbb-13-bug-reports/|PunBB 1.3 bug reports]] forum in [[https://punbb.informer.com/forums/|PunBB Forums]]. |