Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2014-10-20 11:56:46

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

FluxBB 1.5.7 and 1.4.13 released

Security fixes!

Today we inform you about the release of two new FluxBB versions - v1.5.7 and v1.4.13.

These releases fix a critical security vulnerability that could potentially allow clever attackers to take over other user accounts on a FluxBB forum.
We also fixed another less severe issue related to redirects in login.php.

To keep the release (and accompanying patches small), we pushed back the planned and already implemented improvements to a v1.5.8 release due in November.

We want to thank everyone at ramhost.us for the very responsible disclosure of the vulnerability as well as their friendly communication. Patches were contributed by adaur and quy. Thanks, guys!

Please update your forums as soon as possible! As always, you can find complete download packages on the downloads page. Patches and changed files can be obtained on the upgrade page.

We apologize for the inconvenience and assure you that we are trying our best to avoid problems like these, now and in the future.

Security mailing list

In the days prior to this release, we have contacted several prominent community members and large FluxBB forums to give them time to patch their installs. To keep you all in the loop, we have created a new security mailing list. We will use that exclusively to contact you in case of security-relevant releases. You can sign up through a single click of a button in your site profile. Please consider doing so to stay informed and keep your forums up-to-date.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#2 2014-10-20 13:13:20

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,076

Re: FluxBB 1.5.7 and 1.4.13 released

Error in https://fluxbb.org/download/releases/1. … 1.5.6.html
It isn't visible changes in admin_bans.php, login.php and misc.php.


My modification of FluxBB 1.5.10 - rev.75
I speak only Russian  tongue

Offline

#3 2014-10-20 14:37:02

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

Re: FluxBB 1.5.7 and 1.4.13 released

I fixed all patch files. That was not easy, as I accidentally changed the line endings on one commit. sad

I hate release days...


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#4 2014-10-20 19:25:24

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

I don't mean to sound obnoxious, but that's exactly why I'm so wary of placing the data directly into the SQL query. Any chance of moving to prepared statements at some point Franz?

Anyhow, in the process of updating now - thanks.


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#5 2014-10-20 21:08:59

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Yes, 2.0.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#6 2014-10-21 07:04:58

joel
Member
Registered: 2014-07-04
Posts: 438

Re: FluxBB 1.5.7 and 1.4.13 released

when will 20 will be out. I dont need to upgrade this.


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#7 2014-10-21 07:33:23

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

joel wrote:

when will 20 will be out. I dont need to upgrade this.

Well if you don't upgrade, your site will likely get hacked. I think it was mentioned in another thread that FluxBB 2.0 will not be out this year.


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#8 2014-10-21 12:28:54

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 194

Re: FluxBB 1.5.7 and 1.4.13 released

Thanks.

Just a suggestion: I don't know why, but I get announcements for MODs I downloaded (never installed, so not of importance for me)  - I think I did not ask for that feature but got it. So I now ask, if you could add the feature of a "upgrade available" notification. Especially for security fixes this could be nice to have.

Serious and short: add "new version" notification (or tell me, where to activate it).


bye
Ron

Offline

#9 2014-10-21 13:02:00

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Hey Ron, you have two options:
- either subscribe to this forum, or
- sign up for the security mailing list in your site profile.

P.S.: You can disable the "Auto-use modifications" feature in your site profile to disable the automatic signup for the modification release emails. You'll have to explicitly opt out of the ones you already receive on their respective mod pages, though.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#10 2014-10-21 13:06:25

joel
Member
Registered: 2014-07-04
Posts: 438

Re: FluxBB 1.5.7 and 1.4.13 released

hope this is not made to cause panic, because i might end up putting my flux forum down for now. Removing it from my server will be safer.


what I have is heavily modified flux in there. And there will be problem to upgrade it just like that. I really dont have that time now.

Maybe the patches will help.

By the why i think i heard before flux is highly secure and safe. Haha maybe the word security means insucurity and is just to cover up. Haha

Last edited by joel (2014-10-21 13:09:49)


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#11 2014-10-21 13:36:11

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Yes, you should definitely upgrade.

If you want to fix the vulnerability in a simple way, apply this patch. It is literally a change in one line of code, which you have probably not modified.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#12 2014-10-21 17:22:44

grognard
Member
From: UK
Registered: 2014-09-18
Posts: 64
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Upgrade relatively smooth and painless. Thanks a ton Franz!

Offline

#13 2014-10-21 18:48:29

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 194

Re: FluxBB 1.5.7 and 1.4.13 released

Thanks for the hint with the site profile...never looked at it (I am in a forum, so I just use name+email, maybe "forgot password").

@string escaping
Maybe one should run some command line tools to check for unsanitized strings in querys (string variables used without "escape"-command wrapping it).


@Joel
A tool is save as long nobody finds the hole to crawl through. Even if you make your tool safe, you might have trouble with the environment (see the various PHP security fixes the last weeks).

EDIT: spelling bee was there to help.

bye
Ron

Last edited by GWR (2014-10-21 18:48:54)

Offline

#14 2014-10-22 11:54:39

benjawi
Member
From: Plymouth, England
Registered: 2013-03-30
Posts: 81
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Just to confirm... there's no database update is there? I really should update mine and will do. Currently using v 1.5.5.

Offline

#15 2014-10-22 12:00:53

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Nope. My database is from 1.5.3, and I got the message that it's as up-to-date as it can be when I changed the database version in include/common.php


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#16 2014-10-22 12:02:15

benjawi
Member
From: Plymouth, England
Registered: 2013-03-30
Posts: 81
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Ideal, will crack on with the upgrade then. Cheers for confirming.

Offline

#17 2014-10-22 12:41:44

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

Re: FluxBB 1.5.7 and 1.4.13 released

chris98 wrote:

I got the message that it's as up-to-date as it can be when I changed the database version in include/common.php

Make sure FORUM_DB_REVISION is set to 20 in include/common.php, that makes sure your database is up-to-date.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#18 2014-10-22 13:03:38

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

I changed it from 18 to 20 & I also changed the

define('FORUM_VERSION', '1.5.3');

to

define('FORUM_VERSION', '1.5.7');

but I get redirected to db_update still & I get the error:

[22-Oct-2014 13:00:08 UTC] Error: Your forum is already as up-to-date as this script can make it

in my error log.

If I remember correctly, this is exactly why I never changed it before - should I also update the data in the config table or should db_update do that?


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#19 2014-10-22 13:12:44

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,346
Website

Re: FluxBB 1.5.7 and 1.4.13 released

db_update does that.

If you did not upload the newest version of db_update.php, it won't be able to do it for you, though.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#20 2014-10-22 13:46:56

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

That's why it hasn't been working then - I was just somehow assuming the one from 1.5.3 would do it using some kind of fopen() function like checking for the version does in the admin panel.

I've ran the script and the actual upgrade itself was fairly smooth. However, it did cause a few hiccups with requiring custom caches and dropped my ranks table - but I think I've got all that sorted again now.


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#21 2014-10-23 22:14:57

Studio384
Developer
From: Belgium
Registered: 2012-04-11
Posts: 679
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Dropped the rank table? What version of FluxBB have you been using prior to this, because of the sounds of it, you should have updated to 1.4.13 instead of 1.5.7 (unless, of course, you are using a Rank mod, in that case, indeed, the db_update will remove that table).

Offline

#22 2014-10-24 06:53:28

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

You got it in one - I was using 1.5.3, but I was also using the ranks mod.


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#23 2014-10-24 08:36:45

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,076

Re: FluxBB 1.5.7 and 1.4.13 released

chris98 wrote:

I was using 1.5.3

This version is obsolete tongue


My modification of FluxBB 1.5.10 - rev.75
I speak only Russian  tongue

Offline

#24 2014-10-24 08:42:48

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,237
Website

Re: FluxBB 1.5.7 and 1.4.13 released

Visman wrote:
chris98 wrote:

I was using 1.5.3

This version is obsolete tongue

Well... 1.5.3 with all the security updates.


Download Panther - The dawn of a new age in forum software.
Why should I use Panther? | Panther demo | Convert to Panther

Offline

#25 2014-10-24 08:49:10

joel
Member
Registered: 2014-07-04
Posts: 438

Re: FluxBB 1.5.7 and 1.4.13 released

Franz wrote:

Yes, you should definitely upgrade.

If you want to fix the vulnerability in a simple way, apply this patch. It is literally a change in one line of code, which you have probably not modified.

@franz, i saw this code on the link ? where will i put this code? i mean what will i find and replace on profile.php?


@@ -55,7 +55,7 @@
message($lang_profile['Pass key bad'].' <a href="mailto:'.pun_htmlspecialchars($pun_config['o_admin_email']).'">'.pun_htmlspecialchars($pun_config['o_admin_email']).'</a>.');
else
{
- $db->query('UPDATE '.$db->prefix.'users SET password=\''.$cur_user['activate_string'].'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
message($lang_profile['Pass updated'], true);
}

Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

Board footer

Powered by FluxBB