Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2008-12-04 23:40:16

Connor
Former Developer
Registered: 2008-04-27
Posts: 1,127

FluxBB 1.2.21 released

We have just released an updated version of the 1.2 branch, this addresses a fairly serious security issue discovered by Smartys (thanks smile)

If you run 1.2 then it is highly recommended that you update your install.

Connor

Offline

#2 2008-12-04 23:45:42

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB 1.2.21 released

http://fluxbb.org/trac/changeset/738
For anyone curious about the change

Offline

#3 2008-12-05 01:16:53

MisterAwesome
Member
Registered: 2008-06-03
Posts: 44
Website

Re: FluxBB 1.2.21 released

http://fluxbb.org/downloads/updates.php
Whats are the files to change to upgrade from 1.2.20 ?

Offline

#4 2008-12-05 01:17:36

Connor
Former Developer
Registered: 2008-04-27
Posts: 1,127

Re: FluxBB 1.2.21 released

Offline

#5 2008-12-05 01:23:39

MisterAwesome
Member
Registered: 2008-06-03
Posts: 44
Website

Re: FluxBB 1.2.21 released

I've done that but it still shows 1.2.20 on the main page ?

Offline

#6 2008-12-05 01:48:38

elbekko
Former Developer
From: Leuven, Belgium
Registered: 2008-04-30
Posts: 1,132
Website

Re: FluxBB 1.2.21 released

Oh yes, we didn't update the DB update script -.-
*glares at Connor*


Ben
SVN repository for my extensions - The thread
Quickmarks 0.5
“Question: How does a large software project get to be one year late? Answer: One day at a time!” - Fred Brooks

Offline

#7 2008-12-05 04:03:34

Pedro
Member
Registered: 2008-05-11
Posts: 104

Re: FluxBB 1.2.21 released

Forgive me my ignorance, why is this dangerous?
fp.group_id=1

I guess the group with the id=1 could be other than the admin group in some situations...?

Offline

#8 2008-12-05 04:14:58

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: FluxBB 1.2.21 released

Pedro wrote:

Forgive me my ignorance, why is this dangerous?
fp.group_id=1

I guess the group with the id=1 could be other than the admin group in some situations...?

group_id 1 is the admin group, the old query was basically selecting all forums the admin group could view, rather than the actual user logged in can view.

Offline

#9 2008-12-05 05:13:18

hcgtv
Member
From: Charlotte, NC
Registered: 2008-05-07
Posts: 463
Website

Re: FluxBB 1.2.21 released

elbekko wrote:

Oh yes, we didn't update the DB update script -.-

Don't feel bad, the PunBB team forgot the 12_to_1221_update.php file in their changed files zip.

Let's cut them some slack though, they're doing the best they can in their spare time wink

Offline

#10 2008-12-05 05:13:50

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB 1.2.21 released

To be clear, it's dangerous from an information security perspective more than anything else: it's a missing permissions check on subscriptions.

Offline

#11 2008-12-05 05:24:20

xable
Member
Registered: 2008-05-13
Posts: 145

Re: FluxBB 1.2.21 released

Thanks guys.

Offline

#12 2008-12-05 07:01:03

chris
Member
Registered: 2008-05-09
Posts: 21

Re: FluxBB 1.2.21 released

You can follow my instructions here to update your version number. The database update script was missing again (as noted above).

Offline

#13 2008-12-05 08:51:55

Pedro
Member
Registered: 2008-05-11
Posts: 104

Re: FluxBB 1.2.21 released

So it was bug rather than a security issue.

I mean, that "group_id=1" should never be there because it didn't make sense at all, not because it was dangerous. Did I got it right?

Offline

#14 2008-12-05 15:05:48

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB 1.2.21 released

Pedro wrote:

So it was bug rather than a security issue.

I mean, that "group_id=1" should never be there because it didn't make sense at all, not because it was dangerous. Did I got it right?

Yes and no. You're right that it didn't make sense at all. The security issue is that it allows me to subscribe to topics I'm not allowed to see. Which means I get emails when people post in them (along with the contents of the post)

Offline

#15 2008-12-14 13:06:42

kankan
Member
From: France
Registered: 2008-06-09
Posts: 6
Website

Re: FluxBB 1.2.21 released

Thanks you for the maintain of 1.2 branch wink .

But when the 1.3 branch was stabilized ? And it's possible to use the SVN version in production ?


I'm not speak English very well, because I'm French.
I'm kankan_1 in French community of FluxBB.

Offline

#16 2008-12-15 06:32:12

frozen_space
Member
From: Wuxi, China
Registered: 2008-05-12
Posts: 107
Website

Re: FluxBB 1.2.21 released

kankan wrote:

Thanks you for the maintain of 1.2 branch wink .

But when the 1.3 branch was stabilized ? And it's possible to use the SVN version in production ?

1.3 is still in development stage, and you are not recommended to use it in production environment.


Today is the tomorrow you worried about yesterday, and all is well. smile
FluxBB in Chinese.

Offline

Board footer

Powered by FluxBB