Posted
about 1 month
ago
by
Dietrich
The UseBB project releases UseBB 1.0.10, the tenth maintenance release of the UseBB 1 light PHP 4 and MySQL bulletin board system.
This release fixes a quite important issue with possible infinite loops on BBCode parsing making DoS attacks
... [More]
possible. It also includes a major change in RSS feed generation, adding per forum and topic feeds and fixing multiple problems with feed contents.
Ofcourse, several other smaller bug fixes and changes are included:
- Fixed bug #2367: SQL error on search sorted by author.
- Fixed bug with remembering guest auth settings on adding new forum.
- Mass email in board default language and only to unique email addresses.
- Personal emails now sent in correct (recipient's) language.
- ...
As always, upgrading is recommended. Any version less or equal to 1.0.9 is now unsupported. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document. [Less]
Posted
about 1 year
ago
by
Dietrich
After eight months without a new release, here is UseBB "still alive" 1.0.9. UseBB is a light and Open Source PHP/MySQL bulletin board package.
Version 1.0.9 fixes the bugs discovered since the release of 1.0.8 in September 2007
... [More]
, including:
- BBCode in links breaks XML well-formedness;
- RSS feed fails to validate;
- redirect URLs containing backslashes on some platforms (Windows);
- Jabber link on profile needs "xmpp" as protocol, not "jabber";
- made smiley image tags refer to the path using ROOT_PATH.
As always, upgrading is recommended. (All < 1.0.9 versions are officially unsupported as of today.) Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
Note: if you experience the RSS Feed foreach() error, see the fix here. [Less]
Posted
over 2 years
ago
by
Dietrich
I am happy to announce version 1.0.8 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.8 is a minor security and bug fix release. The most important fix is for a few full path disclosure vulnerabilities
... [More]
reported by Ilia Alshanetsky. Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
One of the discovered vulnerabilities is the same one found in 1.0.5 and prior releases. The fix introduced in 1.0.6 turned out insufficient and the vulnerability appeared to come forward in another case as well. It does not pose a direct threat to the forum but may disclose sensitive information which may be abused by a user who has shell access to the server or can abuse another vulnerable application or script.
Thus, as always, it is highly advised to regularly check for and install updates of installed software. Nobody except the owner is responsible when a vulnerability in an outdated version of an application has been abused. [Less]
Posted
over 2 years
ago
by
Dietrich
Yesterday (July 20th, 2007), a post was made on the popular Bugtraq mailing list about a so-called vulnerability in UseBB 1.0.7. This vulnerability includes an insecure value of PHP's PHP_SELF variable being used in forms in three old upgrade scripts
... [More]
that can be exploited for an "XSS attack". However, unlike the report states, this vulnerability should be rated far from "dangerous".
The vulnerability is found in upgrade scripts which were used to upgrade a few old versions of UseBB, being 0.2.3, 0.3 and 0.4. The latter one was released almost 2.5 years ago. Second, this vulnerability poses zero security threats to an existing UseBB set-up. The only possible abuse of this vulnerability is through receiving a malformed URL (containing possibly dangerous JavaScript) to one of these update scripts. Chances anyone gets into this situation are very rare, unless you are still updating an unsupported 2.5 years old UseBB version and are receiving "help" from an abusive person.
In short, this is not a UseBB vulnerability but one in old upgrade scripts which were used upto a couple of years ago.
As a resolution to this vulnerability, these three upgrade scripts have been removed from the source tree in CVS, since they were obviously no longer supported and possibly even not working anymore. If you have the install/ directory present in a publicly available forum, it is advised to remove it in any case, although the scripts should only cause SQL errors and perform no changes when used with an existing set-up.
I am not very satisfied by the way this vulnerability was made public. Next to it being rated "dangerous" without a valid reason, I have not been contacted about this vulnerability in advance to offer a resolution before the report was made public. I am very disappointed in the reporter (who calls himself "S4mi") and hope he/she understands the mistakes that were made.
Since this is not the first time we are plagued by partially false reports, we will start publishing our own security reports when necessary as of the release of UseBB 2.0.0.
Update (September 13th): I. Alshanetsky has found another so-called "vulnerability" in UseBB 1 and made a note about this in his talk about PHP security. The code which is said to be exploitable is not exploitable at all. The developer failed to check the code for security measures plus to report his (thus being false) discovery before making public notes about it. Read more about this on my blog. [Less]
Posted
over 2 years
ago
by
Dietrich
I am happy to announce version 1.0.7 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.7 is a minor feature enhancements and bug fix release. Changes include but are not limited to:
- added an (random
... [More]
math based or custom) anti-spam question feature against spam bots;
- added a security measure which generates a new session ID when logging in/out;
- fixed a few minor bugs found since version 1.0.6.
Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
This release also features a small gain in performance. 1.0.7 uses only 92% of 1.0.6's and no more than half(!) of 1.0's processing time. In other words, 1.0.7 can serve twice as much requests in the same time span than version 1.0. Another reason to keep your UseBB version up to date.
In the mean time, 2.0's development continues, and to emphasize this upcoming switch to PHP 5.2 we have joined the Go PHP 5 campaign. This campaign was started by a group of PHP based Open Source projects - including Drupal, phpMyAdmin, Typo3 and Symfony - who have decided to make new developments PHP 5.2 based as of February 5th, 2008, hoping to speed up PHP 5 migration. (Please note, this date is NOT the release date of UseBB 2.0.) More information on this campaign can be found at http://gophp5.org. [Less]
Posted
over 3 years
ago
by
Dietrich
The UseBB Team is happy to announce version 1.0.6 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.6 is a minor security and bug fix release. Changes include but are not limited to:
- fixed a full path
... [More]
disclosure vulnerability;
- fixed a bug that posed problems when setting certain time zones;
- fixed more bugs in the SQL Toolbox and ACP Modules panes of the ACP.
Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
The discovered security vulnerability (full path disclosure) only occurs on PHP setups with register_globals enabled and certain GET or POST variables passed to the system, resulting into an error containing the script's full path on the web server. This vulnerability itself cannot be exploited directly, but the disclosed information may be abused by people with system access.
Thanks to Jesper Jurcenoks of netVigilance, Inc. for reporting this. Their security advisory can be found at http://www.netvigilance.com/advisory0016. [Less]
Posted
over 3 years
ago
by
Dietrich
The UseBB Team is happy to announce version 1.0.5 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.5 is a minor bug fix release. Changes include but are not limited to:
- various bugs fixed (including
... [More]
with MySQL 5, BBCode and Abyss);
- avatars are now resized when needed using JavaScript instead of always using HTML;
- topic view counts are now increased once per user's session;
- spam proof e-mail addresses now shown as HTML entities.
Upgrading is, as always, recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document. [Less]
Posted
over 3 years
ago
by
Dietrich
The UseBB Team is happy to announce version 1.0.4 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.4 is a minor bug fix release. Changes include but are not limited to:
- some minor bugs were fixed
... [More]
throughout the system;
- changes were applied to improve global performance, especially for template parsing;
- mass email messages are now sent in chunks of 100 recipients;
- version checking is now also possible through the PHP c URL extension;
- small changes to improve usability on some parts.
Upgrading is, as always, recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
With this fourth bug fix release for the 1.0 branch, I also want to comment on the code and database design of this fairly old system. I would like to emphasise that throughout the "designing" and writing code in 2004 and 2005 no tests on performance have ever been applied to the 1.0 codebase, neither were special measures taken to ensure the performance. For example, no or less indexes were applied to the database tables.
Even though some PHP optimisations have been applied in this release, some design flaws remain in place, however they should not pose any problems to small communities and in any case do not form any security problems. We do not wish to fix these design and performance issues any more but instead focus on developing UseBB 2.0, which will (should) gradually replace existing UseBB 1 installations where possible.
What concerns 2.0's development, a new roadmap for the project in 2007 is available at http://usebb.sourceforge.net/roadmap.php. Note that 2.0 is a rewrite "from scratch" in PHP 5. As mentioned, we are working on the system design and will (re)start developing code as soon as time permits. A preview 1.99 release will be made available when most parts of the base system are completed. Of course, as mentioned before we keep releasing UseBB 1 bug fix releases in the mean time as long as we think is necessary.
All what is left to say is: happy 2007 and enjoy your forum! [Less]
Posted
over 3 years
ago
by
Dietrich
Another year has passed in the life of the UseBB Project, which is now officially 3 years old. We have taken this opportunity to release version 1.0.3 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.3 is a
... [More]
minor improvements and bug fix release. Changes include but are not limited to:
- added httpOnly cookies support for improved security (enabled by default);
- a few bugs fixed throughout the whole board, including for BBCode processing;
- some "strange things" were fixed (for example the ability to post with only BBCode tags and no text).
Upgrading is, as always, recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
With this release, we again like to thank all the people who supported us in the past year, and of course SourceForge.net for hosting downloads and CVS. In the past four months, they have processed another 5,000+ downloads, putting the UseBB 1 download counter at over 25,000 copies.
What concerns the ongoing 2.0 development progress, more info can be found at http://www.usebb.net/community/topic-1249.html and http://dietrich.wordpress.com/tag/usebb-2/. We still appreciate all requests, comments and critiques. What did you like about UseBB 1 and would like to see again or even improved in 2.0? What sucks in UseBB 1? Comments on internal workings and development are welcome as well. Please tell us on the forums! [Less]
Posted
over 3 years
ago
by
Dietrich
The UseBB Team is happy to announce version 1.0.2 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.2 is a minor bug fix release. Changes include but are not limited to:
- Reply-To header support for
... [More]
emails (required on some hosts);
- security fix for the PHP Zend_Hash_Del_Key_Or_Index vulnerability;
- various bugs fixed throughout the whole board;
- limited performance improvements on topic view.
Upgrading is, as always, recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
The "PHP Zend_Hash_Del_Key_Or_Index vulnerability", also known as the "unset() vulnerability", is NOT a problem in UseBB itself but a weakness that existed in PHP until version 4.4.3 and 5.1.4. If you run a vulnerable PHP version, it is recommended to update UseBB. For more information, see http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html.
This release is also the first one to distribute new "changed files packages" containing only the changed files since the previous release. For more info, see the docs/index.html document. [Less]
