This is an old revision of the document!
PunBB 1.3 Bugs
Please, look through the list for the bug you have found. If there is no one, then add it.
PunBB 1.3 bugs
- Moderation bugs:
- Markup and language file issues (no hotfixes will be released if the bug results no errors):
- Incorrect markup of the “download latest version” link (fixed).
- Markup issues in the guest post form in post.php, reported by Adelf (fixed in [900]).
- Markup issues in install.php (fixed in [901]).
- Underline is working as italics (post by Garciat, fixed in [922]).
- Incorrect message
you must copy/upload the file .htaccess from the extras directory
in forum settings (topic by esupergood, fixed in [923]). - Make “new hotfixes” message more informative, see Forums topic by colak for details (fixed in [923]).
- Breadcrumbs: Lack of link on topic subject ⇒ no topic permalink at all! (fixed in [924])
- Wrong appearing of 'sticky' word in search results, reported by teva and Garciat (fixed in [910] and [928]).
PunBB 1.3.1 bugs
- Parser bugs
- Sequrity issues (reported by Stefan Esser, hotfixes have been released):
- There is no ' class=“isactive”' in the Profile link in the main navigation menu (fixed in [964]).
PunBB 1.3.2 bugs
- User count in user search results is displayed incorrect (reported by 8k84, fixed in [1065]).
- Messages in feeds are shown as they are stored in DB, without parsing (reported by alpha2zee, fixed in [1070]).
- The usage of language pack at the final stage of installing process (reported by Dan_y2k, fixed in [1108]).
- Incorrect HTTP response code (503 instead 404) for non-existent pages when SEF is enabled (reported by commanche, fixed in [1118]).
PunBB 1.3.3 bugs
- Inverse numbering of previous posts on post preview (reported by maststef, fixed in [1162]).
- Possible XSS vulnerability in profile.php on password and e-mail change (reported by Richard Sammet, fixed in [1164], hotfix hotfix_133_xss_attack_in_profile released).
PunBB 1.3.4 bugs
- Seems like checking of csrf tokens does not involve correspondent timeout in a right way (fixed in [1325], fix by bedroom).
- One can't post in a forum if there is only post permission (reported by Cereal).
- Unsubscribe CSS issue: http://punbb.informer.com/forums/post/122868/#p122868
- Just after installing the 'online' table takes a lot of diskspace on some systems (for example, 1.6 Mb on PHP: 4.4.9, Accelerator: eAccelerator, DB: MySQL Standard 4.1.22; see also a topic on forums).
- Updating script (
admin/db_update.php
) issues?
Security issue details
We provide the details of some fixed security bugs here.
Possible XSS in moderate
A topic title was not converted to HTML in forum moderation. A user could steal moderator's & administrator's session by injecting JavaScript in the topic title.
- Forum versions vulnerable: PunBB 1.3
- Vulnerability type: XSS
- Fixed in [909].
- Hotfix hotfix_13_moderate_xss released.
Possible XSS in login
Password field value (set directly from POST-request) was not properly escaped, so that one could use it to execute JavaScript. CSRF confirm message would be displayed.
- Reported by Stefan Esser.
- Forum versions vulnerable: PunBB 1.3, PunBB 1.3.1.
- Vulnerability type: XSS
- Fixed in [962].
- Hotfix hotfix_131_xss_attack_in_login released.
Potential SQL-injections at admin/users.php page
The values of $_POST['order_by']
and $_POST['direction']
were escaped, but not logically checked before using in SQL query at the Administration
⇒ Users
page. One could execute any SQL query via making administrator to send a POST-request (e.g. giving him a link to the specially formed page). CSRF confirm message would be displayed.
- Forum versions vulnerable: PunBB 1.3, PunBB 1.3.1.
- Reported by Stefan Esser.
- Vulnerability type: SQL injection
- Fixed in [963].
- Hotfix hotfix_131_sql_injection_in_admin_users released.
Potential SQL-injections in admin/settings.php via configuration values
The values of configuration options were not checked before using in SQL query at Administration
⇒ Settings
page. One could execute any SQL query via making administrator to send a POST-request (e.g. giving him a link to the specially formed page). CSRF confirm message would be displayed.
- Forum versions vulnerable: PunBB 1.3, PunBB 1.3.1.
- Reported by Stefan Esser.
- Vulnerability type: SQL injection
- Fixed in [965].
- Hotfix hotfix_131_sql_injection_in_admin_settings released.
See also
Links
- PunBB 1.3 bug reports forum in PunBB Forums.