You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2009-08-31 11:39:46
- Reines
- Administrator
- From: Scotland
- Registered: 2008-05-11
- Posts: 3,197
- Website
FluxBB-1.2.22 released
Today we have released FluxBB-1.2.22. It includes fixes for a few minor bugs, and one XSS vulnerability.
Changes since 1.2.21 include:
Changing the version comparison method to use version_compare.
Fixed a critical XSS vulnerability, reported by endeavormac.
Fixed a deprecated warning on newer versions of PHP.
Fixed an issue with uploading avatars when open_basedir restrictions are in effect.
Made stickied topics show as such in search results.
Due to the XSS vulnerability discovered I would strongly urge everyone to update as soon as possible.
Downloads can be found on the current stable release download page. For anyone wanting to update manually, patch files and html diff files are available.
Don't forget to run the 12_to_1222_update.php file after updating to correct your boards version number.
Note: Most of these changes have also been applied to the 1.4 branch. The XSS vulnerability also affects anyone running 1.4-beta or 1.4-beta2. Although we haven't released an update for 1.4 (as it shouldn't be being used in production!), anyone that needs can download the updated files from either SVN or Trac.
Offline
#2 2009-08-31 11:47:48
- Reines
- Administrator
- From: Scotland
- Registered: 2008-05-11
- Posts: 3,197
- Website
Re: FluxBB-1.2.22 released
Just to note I haven't created the -changed_files.zip/tar's yet as the release script doesn't automatically handle that (and I'm at work!). I will try get these done tonight.
Offline
#3 2009-08-31 14:45:45
- hcgtv
- Member
- From: Charlotte, NC
- Registered: 2008-05-07
- Posts: 466
- Website
Re: FluxBB-1.2.22 released
Thanks Reines for making us aware of the vulnerability.
I went ahead and made the changes to admin_prune.php on my PunBB 1.2.21 boards. I'm waiting on FluxBB 1.4 to make the switch over, since I have a number of mods applied.
PHPCrossRef . We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
#4 2009-08-31 23:43:25
- Spiky
- Member
- From: France
- Registered: 2009-08-31
- Posts: 55
Re: FluxBB-1.2.22 released
Hi,
Once the update made, in the panel administration, when I click to verify the version official, it always puts me that there is a new version of available!!!!
Nevertheless everything the modifications are made well.
File OK with the update.php and OK in the base of given.
I does not understand.
I verified the file cache_config.php and it is very good.
<?php
define('PUN_CONFIG_LOADED', 1);
$pun_config = array (
'o_cur_version' => '1.2.22',
'o_cur_version_fr' => '1.2.22',
Offline
#5 2009-08-31 23:57:00
- Smartys
- Former Developer
- Registered: 2008-04-27
- Posts: 3,139
- Website
Re: FluxBB-1.2.22 released
It looks like you're using a modified version (o_cur_version_fr is not standard) I would ask at the place you got your version (punbb.fr?)
Offline
#6 2009-09-01 02:49:47
- Mpok
- Member
- From: France
- Registered: 2008-05-12
- Posts: 389
Re: FluxBB-1.2.22 released
@Smartys : yep, 'o_cur_version_fr' is a custom one (and now somehow obsolete, we left it but it's not useful any longer..).
But, the pbm is not "custom", it's GENERAL.
THERE IS A BUG IN THE HDIFF !
File "admin_index.php", the line with "version_compare" : the '.' should be ',' (3 arguments).
Offline
#7 2009-09-01 03:11:50
- Smartys
- Former Developer
- Registered: 2008-04-27
- Posts: 3,139
- Website
Re: FluxBB-1.2.22 released
Mpok: I'm not sure what you mean. I just checked all the hdiff files and none appear to have a period in place of a comma (and neither does the code itself).
Offline
#8 2009-09-01 03:24:40
- Mpok
- Member
- From: France
- Registered: 2008-05-12
- Posts: 389
Re: FluxBB-1.2.22 released
???
See : http://fluxbb.org/download/releases/1.2 … .2.22.html
File admin-index.php, line 50 : u see commas ? it's periods...
(or i need glasses.. )
EDIT : IT'S COMMAS... SRY !!!
(really need glasses)
Ok, will have a better look at the error (which stills)..
Last edited by Mpok (2009-09-01 03:32:50)
Offline
#9 2009-09-01 03:44:49
- Spiky
- Member
- From: France
- Registered: 2009-08-31
- Posts: 55
Re: FluxBB-1.2.22 released
It looks like you're using a modified version (o_cur_version_fr is not standard) I would ask at the place you got your version (punbb.fr?)
Yes, thank you.
The team Fr is going to bend over the problem.
Offline
#10 2009-09-01 03:50:23
- Mpok
- Member
- From: France
- Registered: 2008-05-12
- Posts: 389
Re: FluxBB-1.2.22 released
Ok Smartys, not able to reproduce the pbm, sry for last messages...
@Spiky : let's continue on .fr
Offline
#11 2009-09-01 04:16:11
- Spiky
- Member
- From: France
- Registered: 2009-08-31
- Posts: 55
Re: FluxBB-1.2.22 released
It is repaired for me.
See on the .fr
thanks
Offline
#12 2009-09-01 10:37:03
- StevenBullen
- Member
- Registered: 2008-05-03
- Posts: 256
- Website
Re: FluxBB-1.2.22 released
Thanks endeavormac for the XSS find.
Tweeted :: http://twitter.com/FluxBB/status/3685713792
Offline
#13 2009-09-01 12:02:03
- endeavormac
- Member
- Registered: 2008-05-09
- Posts: 5
Re: FluxBB-1.2.22 released
Thanks endeavormac for the XSS find.
Tweeted :: http://twitter.com/FluxBB/status/3685713792
thanks. i've been following this project since the fork. glad i could contribute.
Offline
#14 2009-09-05 05:10:18
- torg
- Member
- From: Russia
- Registered: 2008-05-12
- Posts: 9
- Website
Re: FluxBB-1.2.22 released
http://fluxbb.org/downloads/updates.php
Every one file dont work
FluxBB v1.2.22 changed files (zip)
FluxBB v1.2.22 changed files (tar/gzip)
FluxBB v1.2.22 changed files (tar/bz2)
Not Found
The requested URL /download/releases/1.2.22/fluxbb-1.2.22-changed_files.zip was not found on this server.
Offline
#15 2009-09-05 05:38:48
- qie
- Member
- Registered: 2008-06-02
- Posts: 379
Re: FluxBB-1.2.22 released
lol..really there is xss volunrable on 1.2.21..it's unbelievble..but i do thanks for reporting and update now. as i'm using a mod version so i just check out the Hdiff.
by the way : can i have what files cause this XSS ?
Last edited by qie (2009-09-05 05:49:32)
now show:石家庄电脑维修网
Offline
#16 2009-09-05 10:45:59
- StevenBullen
- Member
- Registered: 2008-05-03
- Posts: 256
- Website
Re: FluxBB-1.2.22 released
by the way : can i have what files cause this XSS ?
Offline
#18 2009-09-18 08:13:07
- xSDMx
- Member
- Registered: 2008-06-24
- Posts: 129
Re: FluxBB-1.2.22 released
Hey all,
I have a resize mod for the image upload, and I updated to 1.2.22 - does this code look fine:
else if ($action == 'upload_avatar' || $action == 'upload_avatar2')
{
if ($pun_config['o_avatars'] == '0')
message($lang_profile['Avatars disabled']);
if ($pun_user['id'] != $id && $pun_user['g_id'] > PUN_MOD)
message($lang_common['No permission']);
if (isset($_POST['form_sent']))
{
if (!isset($_FILES['req_file']))
message($lang_profile['No file']);
$uploaded_file = $_FILES['req_file'];
// Make sure the upload went smooth
if (isset($uploaded_file['error']))
{
switch ($uploaded_file['error'])
{
case 1: // UPLOAD_ERR_INI_SIZE
case 2: // UPLOAD_ERR_FORM_SIZE
message($lang_profile['Too large ini']);
break;
case 3: // UPLOAD_ERR_PARTIAL
message($lang_profile['Partial upload']);
break;
case 4: // UPLOAD_ERR_NO_FILE
message($lang_profile['No file']);
break;
case 6: // UPLOAD_ERR_NO_TMP_DIR
message($lang_profile['No tmp directory']);
break;
default:
// No error occured, but was something actually uploaded?
if ($uploaded_file['size'] == 0)
message($lang_profile['No file']);
break;
}
}
if (is_uploaded_file($uploaded_file['tmp_name']))
{
// Preliminary file check, adequate in most cases
$allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png');
if (!in_array($uploaded_file['type'], $allowed_types))
message($lang_profile['Bad type']);
if ($uploaded_file['size'] > $pun_config['o_avatars_size'])
message($lang_profile['Too large'].' '.$pun_config['o_avatars_size'].' '.$lang_profile['bytes'].'.');
// Move the file to the avatar directory. We do this before checking the width/height to circumvent open_basedir restrictions.
if (!@move_uploaded_file($uploaded_file['tmp_name'], $pun_config['o_avatars_dir'].'/'.$id.'.tmp'))
message($lang_profile['Move failed'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
list($width, $height, $type,) = @getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
// Determine type
$extensions = null;
if ($type == IMAGETYPE_GIF)
$extensions = array('.gif', '.jpg', '.png');
else if ($type == IMAGETYPE_JPEG)
$extensions = array('.jpg', '.gif', '.png');
else if ($type == IMAGETYPE_PNG)
$extensions = array('.png', '.gif', '.jpg');
else
{
// Invalid type
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message($lang_profile['Bad type']);
}
// Now check the width/height
if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
{
// Attempt to resize if GD is installed with support for the uploaded image type, as well as JPG for the output
$check_type = str_replace(array(1, 2, 3), array('IMG_GIF', 'IMG_JPG', 'IMG_PNG'), $type);
if (extension_loaded('gd') && imagetypes() & constant($check_type) && imagetypes() & IMG_JPG)
{
// Load the image for processing
if ($type == 1) $src_img = @imagecreatefromgif($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
elseif ($type == 2) $src_img = @imagecreatefromjpeg($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
elseif ($type == 3) $src_img = @imagecreatefrompng($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
if ($src_img)
{
// Figure out new image dimensions based on the maximum width
$new_w = $pun_config['o_avatars_width'];
$ratio = $height * $new_w;
$new_h = $ratio / $width;
// Do the new dimensions, based on the maximum width, fit the maximum height? If not, recalculate
if ($new_h > $pun_config['o_avatars_height'])
{
$new_h = $pun_config['o_avatars_height'];
$ratio = $width * $new_h;
$new_w = $ratio / $height;
}
// Resize the image
$new_img = imagecreatetruecolor($new_w, $new_h);
imagecopyresampled($new_img, $src_img, 0, 0, 0, 0, $new_w, $new_h, $width, $height);
// Delete the old image and write the newly resized one
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
imagejpeg($new_img,$pun_config['o_avatars_dir'].'/'.$id.'.tmp',85);
// Set the extension to JPG, since that's what the resized image is now
$extensions[0] = '.jpg';
}
// Something went wrong while attempting to load the image for processing
else
{
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message('An unexpected error occured while attempting to resize the image.');
}
}
// No GD installed or image type not supported; can't resize
else
{
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
}
}
// Make sure the file isn't too big
if (filesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp') > $pun_config['o_avatars_size'])
message($lang_profile['Too large'].' '.$pun_config['o_avatars_size'].' '.$lang_profile['bytes'].'.');
// Delete any old avatars and put the new one in place
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[1]);
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[2]);
@rename($pun_config['o_avatars_dir'].'/'.$id.'.tmp', $pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
@chmod($pun_config['o_avatars_dir'].'/'.$id.$extensions[0], 0644);
}
else
message($lang_profile['Unknown failure']);
// Enable use_avatar (seems sane since the user just uploaded an avatar)
$db->query('UPDATE '.$db->prefix.'users SET use_avatar=1 WHERE id='.$id) or error('Unable to update avatar state', __FILE__, __LINE__, $db->error());
redirect('profile.php?section=personality&id='.$id, $lang_profile['Avatar upload redirect']);
}
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
$required_fields = array('req_file' => $lang_profile['File']);
$focus_element = array('upload_avatar', 'req_file');
require PUN_ROOT.'header.php';
?>
Here is the code before updating:
else if ($action == 'upload_avatar' || $action == 'upload_avatar2')
{
if ($pun_config['o_avatars'] == '0')
message($lang_profile['Avatars disabled']);
if ($pun_user['id'] != $id && $pun_user['g_id'] > PUN_MOD)
message($lang_common['No permission']);
if (isset($_POST['form_sent']))
{
if (!isset($_FILES['req_file']))
message($lang_profile['No file']);
$uploaded_file = $_FILES['req_file'];
// Make sure the upload went smooth
if (isset($uploaded_file['error']))
{
switch ($uploaded_file['error'])
{
case 1: // UPLOAD_ERR_INI_SIZE
case 2: // UPLOAD_ERR_FORM_SIZE
message($lang_profile['Too large ini']);
break;
case 3: // UPLOAD_ERR_PARTIAL
message($lang_profile['Partial upload']);
break;
case 4: // UPLOAD_ERR_NO_FILE
message($lang_profile['No file']);
break;
case 6: // UPLOAD_ERR_NO_TMP_DIR
message($lang_profile['No tmp directory']);
break;
default:
// No error occured, but was something actually uploaded?
if ($uploaded_file['size'] == 0)
message($lang_profile['No file']);
break;
}
}
if (is_uploaded_file($uploaded_file['tmp_name']))
{
$allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png');
if (!in_array($uploaded_file['type'], $allowed_types))
message($lang_profile['Bad type']);
// Determine type
$extensions = null;
if ($uploaded_file['type'] == 'image/gif')
$extensions = array('.gif', '.jpg', '.png');
else if ($uploaded_file['type'] == 'image/jpeg' || $uploaded_file['type'] == 'image/pjpeg')
$extensions = array('.jpg', '.gif', '.png');
else
$extensions = array('.png', '.gif', '.jpg');
// Move the file to the avatar directory. We do this before checking the width/height to circumvent open_basedir restrictions.
if (!@move_uploaded_file($uploaded_file['tmp_name'], $pun_config['o_avatars_dir'].'/'.$id.'.tmp'))
message($lang_profile['Move failed'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
// Now check the width/height
list($width, $height, $type,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
{
// Attempt to resize if GD is installed with support for the uploaded image type, as well as JPG for the output
$check_type = str_replace(array(1, 2, 3), array('IMG_GIF', 'IMG_JPG', 'IMG_PNG'), $type);
if (extension_loaded('gd') && imagetypes() & constant($check_type) && imagetypes() & IMG_JPG)
{
// Load the image for processing
if ($type == 1) $src_img = @imagecreatefromgif($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
elseif ($type == 2) $src_img = @imagecreatefromjpeg($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
elseif ($type == 3) $src_img = @imagecreatefrompng($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
if ($src_img)
{
// Figure out new image dimensions based on the maximum width
$new_w = $pun_config['o_avatars_width'];
$ratio = $height * $new_w;
$new_h = $ratio / $width;
// Do the new dimensions, based on the maximum width, fit the maximum height? If not, recalculate
if ($new_h > $pun_config['o_avatars_height'])
{
$new_h = $pun_config['o_avatars_height'];
$ratio = $width * $new_h;
$new_w = $ratio / $height;
}
// Resize the image
$new_img = imagecreatetruecolor($new_w, $new_h);
imagecopyresampled($new_img, $src_img, 0, 0, 0, 0, $new_w, $new_h, $width, $height);
// Delete the old image and write the newly resized one
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
imagejpeg($new_img,$pun_config['o_avatars_dir'].'/'.$id.'.tmp',85);
// Set the extension to JPG, since that's what the resized image is now
$extensions[0] = '.jpg';
}
// Something went wrong while attempting to load the image for processing
else
{
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message('An unexpected error occured while attempting to resize the image.');
}
}
// No GD installed or image type not supported; can't resize
else
{
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
}
}
else if ($type == 1 && $uploaded_file['type'] != 'image/gif') // Prevent dodgy uploads
{
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message($lang_profile['Bad type']);
}
// Make sure the file isn't too big
if (filesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp') > $pun_config['o_avatars_size'])
message($lang_profile['Too large'].' '.$pun_config['o_avatars_size'].' '.$lang_profile['bytes'].'.');
// Delete any old avatars and put the new one in place
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[1]);
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[2]);
@rename($pun_config['o_avatars_dir'].'/'.$id.'.tmp', $pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
@chmod($pun_config['o_avatars_dir'].'/'.$id.$extensions[0], 0644);
}
else
message($lang_profile['Unknown failure']);
// Enable use_avatar (seems sane since the user just uploaded an avatar)
$db->query('UPDATE '.$db->prefix.'users SET use_avatar=1 WHERE id='.$id) or error('Unable to update avatar state', __FILE__, __LINE__, $db->error());
redirect('profile.php?section=personality&id='.$id, $lang_profile['Avatar upload redirect']);
}
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
$required_fields = array('req_file' => $lang_profile['File']);
$focus_element = array('upload_avatar', 'req_file');
require PUN_ROOT.'header.php';
Last edited by xSDMx (2009-09-18 08:19:22)
Offline
Pages: 1