1 2010-03-10 04:23:56
Re: FluxBB XXL - Big Forums Running FluxBB (9 replies, posted in FluxBB discussion)
2 2010-03-10 00:04:47
Re: CJK search support (36 replies, posted in FluxBB discussion)
t assumes every character is a word (which I don't believe is always the case?).
Correct. I believe it's true for Chinese but not true for Japanese (and I couldn't say definitively for Korean).
3 2010-03-08 05:18:03
Re: mysqli_innodb (3 replies, posted in General support (1.4))
No, your tables need to be using InnoDB as their backend engine, not MyISAM.
4 2010-03-06 12:28:31
Re: Database firewall (4 replies, posted in General discussion)
http://php.net/manual/en/mysqli.prepare.php
mysql is not the "modern" MySQL extension.
5 2010-03-06 03:29:54
Re: Database firewall (4 replies, posted in General discussion)
If you really think you need something like this, you're better off just writing proper stored procedures and letting the database handle the security aspects. No need to stick a proxy server in front of it.
Their heuristics won't stop every SQL injection (and will match a fair number of valid queries):
* Access to sensitive tables (users, accounts, credit information)
* Comments inside SQL commands
* An empty password string
* An ‘or’ token inside a query
* An SQL expression that always returns true (SQL tautology)
The key is that they have you run it in "learning mode" and then set it up to reject any queries that aren't explicitly whitelisted. Those heuristics are irrelevant in their primary use-case. It's definitely an interesting idea, but I can't see this being run on any serious site: any site where people are really that afraid of SQL injections could benefit more greatly from the use of stored procedures / prepared queries.
6 2010-03-06 00:38:35
Re: Maximum execution time of 60 seconds exceeded in email.php (7 replies, posted in General support (1.2))
Reading ends when length - 1 bytes have been read, on a newline (which is included in the return value), or on EOF (whichever comes first). If no length is specified, it will keep reading from the stream until it reaches the end of the line.
So, if my mail server were to write fewer than 256 bytes and not send an EOF, it would freeze.
I would talk to your webhost if PHP is hanging on random lines of code.
7 2010-02-28 16:56:19
Re: quote shoud quoting selected text (2 replies, posted in Feature requests)
Quoting doesn't use Javascript, it actually quotes the entire post. This sounds more like a modification.
8 2010-02-26 14:43:33
Re: DokuWiki + Flux1.4 Integration (8 replies, posted in Modifications (1.4))
No, you set the value, not the key.
9 2010-02-26 14:43:02
Re: Air? (25 replies, posted in General support (1.4))
can u zip it up and link it here.. i just downloaded 1.4 rc and it not in it...
Q
10 2010-02-24 15:33:08
Re: i make a fresh install,and find online table is strange (1 replies, posted in General support (1.4))
It's a memory table: don't worry about it.
11 2010-02-22 16:33:32
Re: search result not sort by post time (11 replies, posted in Bug reports (1.4))
Yes: as I said, the issue has been identified and is awaiting a complete fix.
12 2010-02-22 07:55:43
Re: error function (4 replies, posted in General support (1.4))
Who says $pun_user is defined by that point? Or $pun_config, for that matter? And do the DBMS systems localize their own error messages to the user, or are SQL syntax errors still going to show up in English?
My personal opinion is that the FluxBB devs have done far more for internationalization than was ever envisioned for 1.4 and that the focus now should be on releasing the code, maintaining it, and developing a new version, not on slapping more and more features onto this version.
13 2010-02-22 02:44:14
Re: Empty post (6 replies, posted in Bug reports (1.4))
Because it's an empty post. It has no value. <b></b> is meaningless and shouldn't be considered content. It's not security-related: it's common sense.
14 2010-02-21 04:43:02
Re: search result not sort by post time (11 replies, posted in Bug reports (1.4))
And if you'll notice, those posts are perfectly sorted within the pages: you said sorting wasn't working at all, not that the page results were inconsistent.
I believe the problem is related to Reines's recent changes: now, each page selects the proper number of post IDs, but those post IDs aren't necessarily in their proper order.
15 2010-02-21 04:19:47
Re: search result not sort by post time (11 replies, posted in Bug reports (1.4))
In the two examples you just showed, the results appear to be ordered by last post in descending order.
In the first example, for instance, the first date is 07-12-09 (December 9th, 2007), the second is 07-12-01 (December 1st, 2007), so on and so forth.
In the second example, the first date is 08-01-26 (January 26th, 2008), the second is 08-01-24 (January 24th, 2008), so on and so forth.
What am I missing here?
16 2010-02-21 03:47:58
Re: search result not sort by post time (11 replies, posted in Bug reports (1.4))
Uh, ordered by last post. Your site looks like it's showing dates in YY-MM-DD format.
17 2010-02-21 03:36:45
Re: search result not sort by post time (11 replies, posted in Bug reports (1.4))
Sorting by post time, not last post time?
18 2010-02-17 18:43:42
Re: can't search (11 replies, posted in Bug reports (1.4))
Ah fair enough that solves the too long words (kinda), but 1.2 still has the minimum length of 3 characters which is an issue for Chinese, so I wouldn't say it has no problems.
Very true.
19 2010-02-17 15:20:05
Re: can't search (11 replies, posted in Bug reports (1.4))
No, there isn't: I believe it falls back to an incredibly poor performance system for multibyte characters where it uses a LIKE query on the field.
20 2010-02-16 20:48:44
Re: My fluxbb forum host! (19 replies, posted in General discussion)
No. I created an account. Correlation is not causation. 
21 2010-02-13 19:51:57
Re: Flood with multiple validations (6 replies, posted in General support (1.2))
Well, is your post.php checking flood restrictions? Is it updating people's last post times?
22 2010-02-12 15:50:52
Re: Flood with multiple validations (6 replies, posted in General support (1.2))
So perhaps fluxbb.fr has modified their code and inadvertently disabled it?
23 2010-02-11 21:41:57
Re: My fluxbb forum host! (19 replies, posted in General discussion)
It would have been polite to ask if you could test for vulnerabilities first
Polite? Maybe. Required? No.
You put your website up on the Internet and you advertised it here: nowhere did I agree to access the website only in ways you pre-approve. That's even ignoring the fact that several of the vulnerabilities could/would have been triggered by someone passively exploring the site (ie: the plugin vulnerabilities) and not doing anything you would consider "against your wishes."
And again, it wasn't like I tried to hide my intentions. As soon as I discovered vulnerabilities, I reported them to you: I didn't replace your website with a funny message or do anything malicious. I even suggested mitigation strategies. I'd call that more than polite.
And you either forged some POST requests or used Firebug or the Webkit inspector to change the URL and avatar dir.
Web Developer Toolbar.
24 2010-02-11 21:23:43
Re: New styles for FluxBB-1.4 - A competition (85 replies, posted in Announcements)
25 2010-02-11 21:18:27
Re: My fluxbb forum host! (19 replies, posted in General discussion)
Oh dear, it seems I missed your edits...
Also, you could have simply tested instead of actually trying to break the forum. I've banned your IP temporarily, until these issues have been worked out. By no means do I expect you to be stopped by this, but I'd imagine your intents are not malicious.
Now see, that's just not nice. I WAS testing for vulnerabilities, as we discussed; I'm not sure what you're objecting to. I think you'd agree that a vulnerability affecting only a forum I own is far different than a vulnerability that allows me to compromise other forums (and that identify which vulnerabilities are which is important). To be clear, at no time did I "break" anything related to the site as a whole (nor would I have): I even used an SQL injection to fix my forum's base URL. ;-)
Instead of merely reporting an issue, how about helping me fix it?
I do freelance work at very affordable rates: if you'd like me to do some coding for you, that's the way to get me to do it. 
The burden is on you to code properly and securely, not on me to find and fix your system's vulnerabilities. Be happy that I found the vulnerabilities and alerted you so you could fix them; I could have just waited for malicious hackers to discover them.
It wasn't the fact that he tested, it was the method by which he did it.
I'm a little confused by this. Should I have somehow discovered all the vulnerabilities through mental telepathy and reported them to you? (kudos to Matt for making the point already)
I'm also a little curious what "method" I used to discover vulnerabilities that you found so objectionable. All I did was navigate in my browser and type values into fields (and maybe use LiveHTTPHeaders a bit). Those are fairly standard techniques.