Posted
about 1 month
ago
by
pc_f...@users.sourceforge.net (Dietrich Moerman)
After eight months without a new release, here is UseBB "still alive" 1.0.9. UseBB is a light and Open Source PHP/MySQL bulletin board package.
Version 1.0.9 fixes the bugs discovered since the release of 1.0.8 in September 2007
... [More]
, including:
- BBCode in links breaks XML well-formedness;
- RSS feed fails to validate;
- redirect URLs containing backslashes on some platforms (Windows);
- Jabber link on profile needs "xmpp" as protocol, not "jabber";
- made smiley image tags refer to the path using ROOT_PATH.
As always, upgrading is recommended. (All < 1.0.9 versions are officially unsupported as of today.) Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document. (0 comments) [Less]
Posted
9 months
ago
by
pc_f...@users.sourceforge.net (Dietrich Moerman)
I am happy to announce version 1.0.8 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.8 is a minor security and bug fix release. The most important fix is for a few full path disclosure
... [More]
vulnerabilities reported by Ilia Alshanetsky. Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
One of the discovered vulnerabilities is the same one found in 1.0.5 and prior releases. The fix introduced in 1.0.6 turned out insufficient and the vulnerability appeared to come forward in another case as well. It does not pose a direct threat to the forum but may disclose sensitive information which may be abused by a user who has shell access to the server or can abuse another vulnerable application or script.
Thus, as always, it is highly advised to regularly check for and install updates of installed software. Nobody except the owner is responsible when a vulnerability in an outdated version of an application has been abused. (0 comments) [Less]
Posted
12 months
ago
by
pc_f...@users.sourceforge.net (Dietrich Moerman)
Yesterday (July 20th, 2007), a post was made on the popular Bugtraq mailing list about a so-called vulnerability in UseBB 1.0.7. This vulnerability includes an insecure value of PHP's PHP_SELF variable being used in forms in three old upgrade scripts
... [More]
that can be exploited for an "XSS attack". However, unlike the report states, this vulnerability should be rated far from "dangerous".
The vulnerability is found in upgrade scripts which were used to upgrade a few old versions of UseBB, being 0.2.3, 0.3 and 0.4. The latter one was released almost 2.5 years ago. Second, this vulnerability poses zero security threats to an existing UseBB set-up. The only possible abuse of this vulnerability is through receiving a malformed URL (containing possibly dangerous JavaScript) to one of these update scripts. Chances anyone gets into this situation are very rare, unless you are still updating an unsupported 2.5 years old UseBB version and are receiving "help" from an abusive person.
As a resolution to this vulnerability, these three upgrade scripts have been removed from the source tree in CVS, since they were obviously no longer supported and possibly even not working anymore. If you have the install/ directory present in a publicly available forum, it is advised to remove it in any case, although the scripts should only cause SQL errors and perform no changes when used with an existing set-up.
I am not very satisfied by the way this vulnerability was made public. Next to it being rated "dangerous" without a valid reason, I have not been contacted about this vulnerability in advance to offer a resolution before the report was made public. I am very disappointed in the reporter (who calls himself "S4mi") and hope he/she understands the mistakes that were made.
Since this is not the first time we are plagued by partially false reports, we will start publishing our own security reports when necessary as of the release of UseBB 2.0.0. (0 comments) [Less]
Posted
12 months
ago
by
pc_f...@users.sourceforge.net (Dietrich Moerman)
I am happy to announce version 1.0.7 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.7 is a minor feature enhancements and bug fix release. Changes include but are not limited to:
- added an
... [More]
(random math based or custom) anti-spam question feature against spam bots;
- added a security measure which generates a new session ID when logging in/out;
- fixed a few minor bugs found since version 1.0.6.
Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
This release also features a small gain in performance. 1.0.7 uses only 92% of 1.0.6's and no more than half(!) of 1.0's processing time. In other words, 1.0.7 can serve twice as much requests in the same time span than version 1.0. Another reason to keep your UseBB version up to date.
In the mean time, 2.0's development continues, and to emphasize this upcoming switch to PHP 5.2 we have joined the Go PHP 5 campaign. This campaign was started by a group of PHP based Open Source projects - including Drupal, phpMyAdmin, Typo3 and Symfony - who have decided to make new developments PHP 5.2 based as of February 5th, 2008, hoping to speed up PHP 5 migration. (Please note, this date is NOT the release date of UseBB 2.0.) More information on this campaign can be found at http://gophp5.org. (0 comments) [Less]
Posted
about 1 year
ago
by
pc_f...@users.sourceforge.net (Dietrich Moerman)
The UseBB Team is happy to announce version 1.0.6 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.6 is a minor security and bug fix release. Changes include but are not limited to:
- fixed a
... [More]
full path disclosure vulnerability;
- fixed a bug that posed problems when setting certain time zones;
- fixed more bugs in the SQL Toolbox and ACP Modules panes of the ACP.
Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
The discovered security vulnerability (full path disclosure) only occurs on PHP setups with register_globals enabled and certain GET or POST variables passed to the system, resulting into an error containing the script's full path on the web server. This vulnerability itself cannot be exploited directly, but the disclosed information may be abused by people with system access.
Thanks to Jesper Jurcenoks of netVigilance, Inc. for reporting this. Their security advisory can be found at http://www.netvigilance.com/advisory0016. (0 comments) [Less]
mysql php bbs bulletin_board forum usebb xhtml
|
edit tags
