• Smartys
  • Former FluxBB.org Developer
  • Offline
  • Registered: 2008-04-27
  • Posts: 2,094

Topic: FluxBB 1.2.19 and 1.3 hotfixes released

It's that time again: new release time! smile

Recently, several security vulnerabilities in both the stable (1.2) and development (1.3) branches of FluxBB have come to our attention. Today, we have released a new version of 1.2 and hotfixes for 1.3 to address these vulnerabilities.

1.2.19 addresses three fairly serious security vulnerabilities and provides a fix for an issue with userlist.php. It is a recommended upgrade for all 1.2 installs, both FluxBB and PunBB.

4 hotfixes have been released for 1.3 Beta 2. These hotfixes address various security concerns in the beta. It is recommended that all users of the beta install these hotfixes: when your install checks for updates, either manually or automatically, you should be prompted to do so.

The FluxBB Team would like to thank Stefan Esser, who reported the 1.3 vulnerabilities, and Dan Crowley, who reported the vulnerability in 1.2's parser.

Smartys's Website

  • Registered: 2008-05-11
  • Posts: 116

Re: FluxBB 1.2.19 and 1.3 hotfixes released

yay for updates!

Diablo 3 Community and News Site

raptrex's Website

  • From: France
  • Registered: 2008-06-09
  • Posts: 6

Re: FluxBB 1.2.19 and 1.3 hotfixes released

I'll update my forums.

Thank you.

I'm not speak English very well, because I'm French.
I'm kankan_1 in French community of FluxBB.

kankan's Website

  • Registered: 2008-07-11
  • Posts: 1

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Last edited by dns777 (2008-07-11 13:43:29)

  • From: Costa Mesa, CA, USA
  • Registered: 2008-07-07
  • Posts: 10

Re: FluxBB 1.2.19 and 1.3 hotfixes released

dns777 wrote:

This is rather annoying, since it refuses the creation of clickable images

Agreed!  I don't have images enabled in my forum, but linked images are very useful and I use them a lot elsewhere.  In fact, linked images are required to conform to Flickr's ToS when using an image from your Flickr photostream.

Bad Harvest

Bad Harvest's Website

  • Registered: 2008-05-09
  • Posts: 21

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Just a tip for anyone else having this problem.

I uploaded the changefiles for 1.2.19 but my install still said 1.2.18. This is because the database update script was missing from the changed files zip. To fix this:

0) Upload the changed files to your Flux 1.2.18 install
1) UPDATE punbb_config /*(mine is a longtime pun install, the new flux tables probably have a different prefix)*/ SET o_cur_version = '1.2.19';
2) Delete file (your install path)/cache/cache_config.php
3) Load any Flux page in your browser.

You now have the newest release, no updates available.

  • anni
  • Member
  • Offline
  • From: Germany
  • Registered: 2008-06-01
  • Posts: 12

Re: FluxBB 1.2.19 and 1.3 hotfixes released

smartys plz release a one click 12_to_1219_update.php file

  • Meow
  • Member
  • Offline
  • From: Taipei, Taiwan
  • Registered: 2008-05-10
  • Posts: 507

Re: FluxBB 1.2.19 and 1.3 hotfixes released

.19

...

Is it a race between FluxBB 1.2(.19) and phpBB 2.0(.23)?

Before January 24th, you'll see why FluxBB 1.2 won't be like "FluxBB 1.2."

Chita - a feral paradise for feline animals.

Meow's Website

  • From: North West England
  • Registered: 2008-05-03
  • Posts: 336

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Meow wrote:

.19

...

Is it a race between FluxBB 1.2(.19) and phpBB 2.0(.23)?

No, its essential security updates.

http://finarcade.com

La`me's Website

  • From: Far-Far-Away
  • Registered: 2008-05-11
  • Posts: 28

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Please explain why [ url ] some-other-tags [ /url ] has a vulnerability. I can't realize it, sorry!

  • From: MO, USA
  • Registered: 2008-05-12
  • Posts: 244

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Where do I download from, main website?

Clean Script - Programming Starting at just $5 | Web Development Blog | Mysql 5 Tutorials & Articles
Clean Script Webforum Powered By Flux (not official until Flux is Final smile)

Lamonte's Website

  • From: Russia
  • Registered: 2008-05-11
  • Posts: 12

Re: FluxBB 1.2.19 and 1.3 hotfixes released

artoodetoo wrote:

Please explain why [ url ] some-other-tags [ /url ] has a vulnerability. I can't realize it, sorry!

Realy, why?

[img]http://img519.imageshack.us/img519/6530/qwertytu6.jpg[/img]

Coordinator's Website

  • Smartys
  • Former FluxBB.org Developer
  • Offline
  • Registered: 2008-04-27
  • Posts: 2,094

Re: FluxBB 1.2.19 and 1.3 hotfixes released

dns777 wrote:

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Quite right. And I was hoping to have a release without an issue too. hmm
We'll investigate and see whether we can improve the check to be less overzealous.

Smartys's Website

  • Registered: 2008-05-11
  • Posts: 116

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Lamonte wrote:

Where do I download from, main website?

you can or go into install extentions on your forum

Diablo 3 Community and News Site

raptrex's Website

  • From: France
  • Registered: 2008-05-10
  • Posts: 20

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Smartys wrote:
dns777 wrote:

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Quite right. And I was hoping to have a release without an issue too. hmm
We'll investigate and see whether we can improve the check to be less overzealous.

i met the same issue with
[ url= ... ] [ b ] [ color = ] text [/ color ] [ / b ] [ / url ]

http://www.foxmask.info
DaFun Spirit Sofware is a GNU GPL project for online Teams Players of Counter Strike
Admin on the FluxBB French Community

foxmask's Website

  • anni
  • Member
  • Offline
  • From: Germany
  • Registered: 2008-06-01
  • Posts: 12

Re: FluxBB 1.2.19 and 1.3 hotfixes released

I cant even post two links after each other in 1.2.19:(

Like:

FluxBB FluxBB

Error Message:

BBCode can not be nested within [url] tags.

Last edited by anni (2008-07-12 06:09:30)

  • Smartys
  • Former FluxBB.org Developer
  • Offline
  • Registered: 2008-04-27
  • Posts: 2,094

Re: FluxBB 1.2.19 and 1.3 hotfixes released

anni: Thanks for the report.
Everyone: From this point forward, I'm going to be deleting any posts that report the same issue. We don't need any  "me too" posts. We know there's an issue. wink

Smartys's Website

  • Registered: 2008-05-20
  • Posts: 33

Re: FluxBB 1.2.19 and 1.3 hotfixes released

hi
how update SVN 1.3 version ? thx

Last edited by achos (2008-07-12 20:29:33)

  • Registered: 2008-05-25
  • Posts: 6

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Hi,

There is not an issue on edit.php and extern.php ? I can figure out where are the difference in http://fluxbb.org/download/releases/1.2 … .2.19.html same think for http://fluxbb.org/download/releases/1.2 … .2.18.html

  • Smartys
  • Former FluxBB.org Developer
  • Offline
  • Registered: 2008-04-27
  • Posts: 2,094

Re: FluxBB 1.2.19 and 1.3 hotfixes released

fpouget: edit.php has a > added, extern.php has a PunBB changed to FluxBB (the other change, as you said, appears to not affect anything).

Smartys's Website

  • Ledo
  • Member
  • Offline
  • Registered: 2008-05-10
  • Posts: 185

Re: FluxBB 1.2.19 and 1.3 hotfixes released

What is the policy on hotfixes.

Will installing hotfixes over extensions system  be a common procedure in the future or will hotfixes be implemented in every new release of Fluxbb.

  • From: London, England
  • Registered: 2008-05-22
  • Posts: 402

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Hotfixes will fix any issues found before a new release is made. Upon updating to that new release, the hotfixes will be removed and replaced by hard-code in the new release.

Last edited by liquidat0r (2008-07-15 14:57:20)

liquidat0r's Website