Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2012-11-13 15:15:13

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,927
Website

FluxBB 1.5.1 released

UPDATE: We discourage you from upgrading to v1.5.1, as it contains changes that may break your forum if you have modifications installed or custom integrations in place. v1.5.2 will be released with a fix very soon.

I am very happy to announce the release of FluxBB v1.5.1.

This is a general maintenance release which (besides 18 bugfixes and 9 enhancements) also fixes a minor security issue that could potentially cause XSS vulnerabilities when used together with a SQL injection attack. We recommend updating.

Other important changes in this version:

You can also take a look at the detailed changelog.

As always, you can download this release on our download page.
Changed files and patches are also available on the upgrade page.

I want to use this opportunity to thank everybody who has contributed to this release: adaur, arw, daris, JohnLewis, Koos, Mr.Anderson, Oldskool, Paul, quy and Studio384. Cheers!

It is recommended to do a backup of both your files and database before upgrading!

If you have any problems or spot any errors please let us know! smile

And for everybody interested in v2.0: we will reach the first alpha milestone this month, so stay tuned for some exciting news!

Last edited by Franz (2013-01-09 11:29:45)


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#2 2012-11-13 15:27:22

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 646
Website

Re: FluxBB 1.5.1 released

Yay! I'm working on the Dutch translation. smile

Haha, the first 1.5.1 modification is available. smile

Last edited by Studio384 (2012-11-13 15:48:23)


FluxBB Community Benelux - ModernBB 3.4
Profile Plus: A new FluxBB profile interface

Offline

#3 2012-11-14 05:30:22

Pierre
Member
From: Germany/Bonn
Registered: 2010-05-20
Posts: 49
Website

Re: FluxBB 1.5.1 released

Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a

Offline

#4 2012-11-14 05:44:30

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 646
Website

Re: FluxBB 1.5.1 released

Pierre wrote:

Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a

Yes, that's the right comment.


FluxBB Community Benelux - ModernBB 3.4
Profile Plus: A new FluxBB profile interface

Offline

#5 2012-11-14 07:09:40

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 904

Re: FluxBB 1.5.1 released

Then what is it? big_smile

		if ($pun_user['is_admmod'])
			$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

My modification of FluxBB 1.5.7 - rev.66
I speak only Russian  tongue

Offline

#6 2012-11-14 11:40:41

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,927
Website

Re: FluxBB 1.5.1 released

Yes, it's that one.

As I wrote, it's only exploitable in combination with SQL injection. Somebody got hacked because of a SQL injection vulnerability in a modification.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#7 2012-11-15 12:46:29

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 904

Re: FluxBB 1.5.1 released

ce10adea4b7f2a08bfebacca98fd7824.gif

Why use two Content-Type?


My modification of FluxBB 1.5.7 - rev.66
I speak only Russian  tongue

Offline

#8 2012-11-15 13:03:24

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,927
Website

Re: FluxBB 1.5.1 released

Any chance you have a custom style or a custom template file? You should remove the content type from the template, it's now generated in header.php.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#9 2012-11-15 13:11:58

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 904

Re: FluxBB 1.5.1 released

I ask about this forum wink
Look in the top part of the picture.
---
It seems, the function handle_url_tag  works at localhost incorrectly
749f60d28d888737a3834c5aafc6287e.gif

if delete

	if ($bbcode === false && url_valid($full_url) === false)
		$bbcode = true;

- all ok


My modification of FluxBB 1.5.7 - rev.66
I speak only Russian  tongue

Offline

#10 2012-11-15 13:25:49

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 904

Re: FluxBB 1.5.1 released

Possibly, the function url_valid returns False for localhost sad


My modification of FluxBB 1.5.7 - rev.66
I speak only Russian  tongue

Offline

#11 2012-11-15 13:38:27

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 728
Website

Re: FluxBB 1.5.1 released

Franz wrote:

Yes, it's that one.

As I wrote, it's only exploitable in combination with SQL injection. Somebody got hacked because of a SQL injection vulnerability in a modification.

That's me, indeed. It is not a vulnerability itself, but it can help in addition to a XSS.

@Pierre: yes it is, but as the fix is very easy, it would be a shame not to solve it.

@Visman: what about

	if ($bbcode === false && url_valid($full_url) === false && parse_url($full_url, PHP_URL_HOST) != 'localhost')
		$bbcode = true;

Last edited by adaur (2012-11-15 13:47:41)


Please excuse my bad english, I'm french tongue.

Offline

#12 2012-11-15 15:12:35

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 904

Re: FluxBB 1.5.1 released

adaur wrote:

@Visman: what about

	if ($bbcode === false && url_valid($full_url) === false && parse_url($full_url, PHP_URL_HOST) != 'localhost')
		$bbcode = true;

works, but I think it is necessary to correct function url_valid wink

adaur wrote:

That's me, indeed. It is not a vulnerability itself, but it can help in addition to a XSS.

Interestingly, why only in one place added pun_htmlspecialchars?


My modification of FluxBB 1.5.7 - rev.66
I speak only Russian  tongue

Offline

#13 2012-11-15 15:59:27

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 904

Re: FluxBB 1.5.1 released

bug

[url]http://президент.рф/[/url]

-->
http://президент.рф/


My modification of FluxBB 1.5.7 - rev.66
I speak only Russian  tongue

Offline

#14 2012-11-15 17:25:38

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 728
Website

Re: FluxBB 1.5.1 released

@Visman: sorry, I thought url_valid was a native function. Let's continue the discussion here wink.

Interestingly, why only in one place added pun_htmlspecialchars?

If you see some more unprotected fields, please report them, thanks!

Edit: you're right, as always

		if ($pun_user['is_admmod'])
			$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

Last edited by adaur (2012-11-15 17:32:01)


Please excuse my bad english, I'm french tongue.

Offline

#15 2012-11-15 23:13:02

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 116
Website

Re: FluxBB 1.5.1 released

Studio384 wrote:
Pierre wrote:

Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a

Yes, that's the right comment.

Hello,

Excuse me, but why is the IP address escaped at this line, but not in the following lines :

if ($pun_user['is_admmod'])
$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'] && $pun_user['g_send_email'] == '1')
$user_contacts[] = '<span class="email"><a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['Email'].'</a></span>';

May be I miss something, but what ? hmm

Last edited by sklerder (2012-11-16 07:31:08)

Offline

#16 2012-11-15 23:42:59

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,927
Website

Re: FluxBB 1.5.1 released

Visman wrote:

I ask about this forum wink

Whoops, my bad. Fixed now, it had to do with our site integration.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#17 2012-11-16 17:35:32

korui
Member
From: Guangdong,China
Registered: 2010-02-01
Posts: 16

Re: FluxBB 1.5.1 released

I'm waiting for 2.0

Offline

#18 2012-11-16 18:43:08

lord.nitos
Member
From: Poland
Registered: 2012-11-15
Posts: 12

Re: FluxBB 1.5.1 released

korui wrote:

I'm waiting for 2.0

Like everybody smile


sorry for my poor english, because i am polish guy

Offline

#19 2012-11-16 22:05:57

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 116
Website

Re: FluxBB 1.5.1 released

Hi !

sklerder wrote:
Studio384 wrote:
Pierre wrote:

Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a

Yes, that's the right comment.

Hello,

Excuse me, but why is the IP address escaped at this line, but not in the following lines :

if ($pun_user['is_admmod'])
$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'] && $pun_user['g_send_email'] == '1')
$user_contacts[] = '<span class="email"><a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['Email'].'</a></span>';

May be I miss something, but what ? hmm

I believe you didn't see my question, Franz ...

Offline

#20 2012-11-16 22:20:26

JohnLewis
Developer
From: England
Registered: 2012-09-11
Posts: 99

Re: FluxBB 1.5.1 released

lord.nitos wrote:
korui wrote:

I'm waiting for 2.0

Like everybody smile

And it's a bit away. Alpha1 won't be usable and I doubt it (unless there is a something I am missing) will be usable until Beta1.


sklerder wrote:

Hi !

sklerder wrote:
Studio384 wrote:

Yes, that's the right comment.

Hello,

Excuse me, but why is the IP address escaped at this line, but not in the following lines :

if ($pun_user['is_admmod'])
$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'] && $pun_user['g_send_email'] == '1')
$user_contacts[] = '<span class="email"><a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['Email'].'</a></span>';

May be I miss something, but what ? hmm

I believe you didn't see my question, Franz ...

We have found a few of them. Check to see if it has been solved yet, if not report it in the ticket opened in the tracker regarding this issue. You can find it under 1.5.2.


John F. Lewis
FluxBB Developer

Offline

#21 2012-11-19 16:03:36

Spiky
Member
From: France
Registered: 2009-08-31
Posts: 54

Re: FluxBB 1.5.1 released

Visman wrote:

bug

[url]http://президент.рф/[/url]

-->
http://президент.рф/

Hi,
Is what it was fixed?
It's a little embarrassing when working locally.

Thanks.

Offline

#22 2012-11-19 16:40:25

JohnLewis
Developer
From: England
Registered: 2012-09-11
Posts: 99

Re: FluxBB 1.5.1 released

Spiky wrote:
Visman wrote:

bug

[url]http://президент.рф/[/url]

-->
http://президент.рф/

Hi,
Is what it was fixed?
It's a little embarrassing when working locally.

Thanks.

Please view the appropriate ticket under 1.5.2.


John F. Lewis
FluxBB Developer

Offline

#23 2012-11-23 09:28:21

Pierre
Member
From: Germany/Bonn
Registered: 2010-05-20
Posts: 49
Website

Re: FluxBB 1.5.1 released

I just updated the German translation. Note: as FluxBB switched to the strict XHTML mode for unknown reason tags like <br> are no longer valid (use <br /> instead).

Btw: Why switch to the XML based XHTML instead of HTML (5)?

Offline

#24 2012-11-24 21:20:32

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,927
Website

Re: FluxBB 1.5.1 released

Thanks for the contribution, Pierre!

Yeah, I'm beginning to wonder whether the move to XHTML was so brilliant. It can cause really ugly errors on some pages and it isn't the latest standard anymore. Potentially breaking quite a few mods for such an un-needed (in the sense of importance) change is rather uncool.

EDIT: But then, we've always boasted ourselves with serving valid XHTML on our frontpage (until a few days ago), so I guess it does make sense.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#25 2012-11-24 21:46:50

sklerder
Member
From: Brittany
Registered: 2012-11-06
Posts: 116
Website

Re: FluxBB 1.5.1 released

Hello, Franz !

May be it makes sense, but I feel it was to early, and "modders" weren't prepared to this sad

Actually, I'm fighting with Daris's Patcher, which is really broken with this change.

And, I suppose, it is not the only mod broken due to XHTML hmm


I think that this choice should have been postponed to FluxBB 2.0, because mod will have to be rewritten for them to work with this new version, but actually, for a minor update, we have big rewrites on mods and a real upgrade to do, with plenty of tests ...

But thats only my point of view smile

Offline

Board footer

Powered by FluxBB 1.5.7