Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2009-08-31 11:39:46

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

FluxBB-1.2.22 released

Today we have released FluxBB-1.2.22. It includes fixes for a few minor bugs, and one XSS vulnerability.

Changes since 1.2.21 include:

  • Changing the version comparison method to use version_compare.

  • Fixed a critical XSS vulnerability, reported by endeavormac.

  • Fixed a deprecated warning on newer versions of PHP.

  • Fixed an issue with uploading avatars when open_basedir restrictions are in effect.

  • Made stickied topics show as such in search results.

Due to the XSS vulnerability discovered I would strongly urge everyone to update as soon as possible.

Downloads can be found on the current stable release download page. For anyone wanting to update manually, patch files and html diff files are available.

Don't forget to run the 12_to_1222_update.php file after updating to correct your boards version number.

Note: Most of these changes have also been applied to the 1.4 branch. The XSS vulnerability also affects anyone running 1.4-beta or 1.4-beta2. Although we haven't released an update for 1.4 (as it shouldn't be being used in production!), anyone that needs can download the updated files from either SVN or Trac.

Offline

#2 2009-08-31 11:47:48

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: FluxBB-1.2.22 released

Just to note I haven't created the -changed_files.zip/tar's yet as the release script doesn't automatically handle that (and I'm at work!). I will try get these done tonight.

Offline

#3 2009-08-31 14:45:45

hcgtv
Member
From: Charlotte, NC
Registered: 2008-05-07
Posts: 463
Website

Re: FluxBB-1.2.22 released

Thanks Reines for making us aware of the vulnerability.

I went ahead and made the changes to admin_prune.php on my PunBB 1.2.21 boards. I'm waiting on FluxBB 1.4 to make the switch over, since I have a number of mods applied.

Offline

#4 2009-08-31 23:43:25

Spiky
Member
From: France
Registered: 2009-08-31
Posts: 55

Re: FluxBB-1.2.22 released

Hi,
Once the update made, in the panel administration, when I click to verify the version official, it always puts me that there is a new version of available!!!!

Nevertheless everything the modifications are made well.
File OK with the update.php and OK in the base of given.
I does not understand.

I verified the file cache_config.php and it is very good.

<?php

define('PUN_CONFIG_LOADED', 1);

$pun_config = array (
  'o_cur_version' => '1.2.22',
  'o_cur_version_fr' => '1.2.22',

Offline

#5 2009-08-31 23:57:00

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB-1.2.22 released

It looks like you're using a modified version (o_cur_version_fr is not standard) I would ask at the place you got your version (punbb.fr?)

Offline

#6 2009-09-01 02:49:47

Mpok
Member
From: France
Registered: 2008-05-12
Posts: 389

Re: FluxBB-1.2.22 released

@Smartys : yep, 'o_cur_version_fr' is a custom one (and now somehow obsolete, we left it but it's not useful any longer..).

But, the pbm is not "custom", it's GENERAL.

THERE IS A BUG IN THE HDIFF !

File "admin_index.php", the line with "version_compare" : the '.' should be ',' (3 arguments).

Offline

#7 2009-09-01 03:11:50

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: FluxBB-1.2.22 released

Mpok: I'm not sure what you mean. I just checked all the hdiff files and none appear to have a period in place of a comma (and neither does the code itself).

Offline

#8 2009-09-01 03:24:40

Mpok
Member
From: France
Registered: 2008-05-12
Posts: 389

Re: FluxBB-1.2.22 released

???
See : http://fluxbb.org/download/releases/1.2 … .2.22.html

File admin-index.php, line 50 : u see commas ? it's periods...
(or i need glasses.. wink)

EDIT : IT'S COMMAS... SRY !!!

(really need glasses)
Ok, will have a better look at the error (which stills)..

Last edited by Mpok (2009-09-01 03:32:50)

Offline

#9 2009-09-01 03:44:49

Spiky
Member
From: France
Registered: 2009-08-31
Posts: 55

Re: FluxBB-1.2.22 released

Smartys wrote:

It looks like you're using a modified version (o_cur_version_fr is not standard) I would ask at the place you got your version (punbb.fr?)

Yes, thank you.
The team Fr is going to bend over the problem.

Offline

#10 2009-09-01 03:50:23

Mpok
Member
From: France
Registered: 2008-05-12
Posts: 389

Re: FluxBB-1.2.22 released

Ok Smartys, not able to reproduce the pbm, sry for last messages...
@Spiky : let's continue on .fr

Offline

#11 2009-09-01 04:16:11

Spiky
Member
From: France
Registered: 2009-08-31
Posts: 55

Re: FluxBB-1.2.22 released

It is repaired for me.
See on the .fr
thanks

Offline

#12 2009-09-01 10:37:03

StevenBullen
Member
Registered: 2008-05-03
Posts: 256
Website

Re: FluxBB-1.2.22 released

Thanks endeavormac for the XSS find.

Tweeted :: http://twitter.com/FluxBB/status/3685713792

Offline

#13 2009-09-01 12:02:03

endeavormac
Member
Registered: 2008-05-09
Posts: 5

Re: FluxBB-1.2.22 released

StevenBullen wrote:

Thanks endeavormac for the XSS find.

Tweeted :: http://twitter.com/FluxBB/status/3685713792

thanks. i've been following this project since the fork. glad i could contribute.

Offline

#14 2009-09-05 05:10:18

torg
Member
From: Russia
Registered: 2008-05-12
Posts: 9
Website

Re: FluxBB-1.2.22 released

http://fluxbb.org/downloads/updates.php

Every one file dont work

FluxBB v1.2.22 changed files (zip)
FluxBB v1.2.22 changed files (tar/gzip)
FluxBB v1.2.22 changed files (tar/bz2)

Not Found
The requested URL /download/releases/1.2.22/fluxbb-1.2.22-changed_files.zip was not found on this server.

Offline

#15 2009-09-05 05:38:48

qie
Member
Registered: 2008-06-02
Posts: 379

Re: FluxBB-1.2.22 released

lol..really there is xss volunrable on 1.2.21..it's unbelievble..but i do thanks for reporting and update now. as i'm using a mod version so i just check out the Hdiff.

by the way : can i have what files cause this XSS ?

Last edited by qie (2009-09-05 05:49:32)

Offline

#16 2009-09-05 10:45:59

StevenBullen
Member
Registered: 2008-05-03
Posts: 256
Website

Re: FluxBB-1.2.22 released

qie wrote:

by the way : can i have what files cause this XSS ?

http://fluxbb.org/trac/changeset/1125

Offline

#17 2009-09-10 17:03:45

cmscritic
Member
Registered: 2009-09-10
Posts: 1
Website

Re: FluxBB-1.2.22 released

Flux is a great system. I will likely be reviewing it soon for the site. Thanks for this release.


Mike Johnston
Senior Editor and Founder
CMS Critic

Offline

#18 2009-09-18 08:13:07

xSDMx
Member
Registered: 2008-06-24
Posts: 129

Re: FluxBB-1.2.22 released

Hey all,

I have a resize mod for the image upload, and I updated to 1.2.22 - does this code look fine:

else if ($action == 'upload_avatar' || $action == 'upload_avatar2')
{
    if ($pun_config['o_avatars'] == '0')
        message($lang_profile['Avatars disabled']);

    if ($pun_user['id'] != $id && $pun_user['g_id'] > PUN_MOD)
        message($lang_common['No permission']);

    if (isset($_POST['form_sent']))
    {
        if (!isset($_FILES['req_file']))
            message($lang_profile['No file']);
            
        $uploaded_file = $_FILES['req_file'];

        // Make sure the upload went smooth
        if (isset($uploaded_file['error']))
        {
            switch ($uploaded_file['error'])
            {
                case 1:    // UPLOAD_ERR_INI_SIZE
                case 2:    // UPLOAD_ERR_FORM_SIZE
                    message($lang_profile['Too large ini']);
                    break;

                case 3:    // UPLOAD_ERR_PARTIAL
                    message($lang_profile['Partial upload']);
                    break;

                case 4:    // UPLOAD_ERR_NO_FILE
                    message($lang_profile['No file']);
                    break;

                case 6:    // UPLOAD_ERR_NO_TMP_DIR
                    message($lang_profile['No tmp directory']);
                    break;

                default:
                    // No error occured, but was something actually uploaded?
                    if ($uploaded_file['size'] == 0)
                        message($lang_profile['No file']);
                    break;
            }
        }

        if (is_uploaded_file($uploaded_file['tmp_name']))
        {
            // Preliminary file check, adequate in most cases
            $allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png');
            if (!in_array($uploaded_file['type'], $allowed_types))
                message($lang_profile['Bad type']);
              if ($uploaded_file['size'] > $pun_config['o_avatars_size'])
                message($lang_profile['Too large'].' '.$pun_config['o_avatars_size'].' '.$lang_profile['bytes'].'.');

              // Move the file to the avatar directory. We do this before checking the width/height to circumvent open_basedir restrictions.
             if (!@move_uploaded_file($uploaded_file['tmp_name'], $pun_config['o_avatars_dir'].'/'.$id.'.tmp'))
                message($lang_profile['Move failed'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
 
            list($width, $height, $type,) = @getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');            


// Determine type
$extensions = null;
if ($type == IMAGETYPE_GIF)
 $extensions = array('.gif', '.jpg', '.png');
else if ($type == IMAGETYPE_JPEG)
$extensions = array('.jpg', '.gif', '.png');
else if ($type == IMAGETYPE_PNG)
$extensions = array('.png', '.gif', '.jpg');
else
{
  // Invalid type
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
 message($lang_profile['Bad type']);
 }


            // Now check the width/height
        
            if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
            {

                // Attempt to resize if GD is installed with support for the uploaded image type, as well as JPG for the output
                $check_type = str_replace(array(1, 2, 3), array('IMG_GIF', 'IMG_JPG', 'IMG_PNG'), $type);
                if (extension_loaded('gd') && imagetypes() & constant($check_type) && imagetypes() & IMG_JPG)
                {

                    // Load the image for processing
                    if ($type == 1) $src_img = @imagecreatefromgif($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                    elseif ($type == 2) $src_img = @imagecreatefromjpeg($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                    elseif ($type == 3) $src_img = @imagecreatefrompng($pun_config['o_avatars_dir'].'/'.$id.'.tmp');

                    if ($src_img)
                    {

                        // Figure out new image dimensions based on the maximum width
                        $new_w = $pun_config['o_avatars_width'];
                        $ratio = $height * $new_w;
                        $new_h = $ratio / $width;

                        // Do the new dimensions, based on the maximum width, fit the maximum height? If not, recalculate
                        if ($new_h > $pun_config['o_avatars_height'])
                        {
                            $new_h = $pun_config['o_avatars_height'];
                            $ratio = $width * $new_h;
                            $new_w = $ratio / $height;
                        }

                        // Resize the image
                        $new_img = imagecreatetruecolor($new_w, $new_h);
                        imagecopyresampled($new_img, $src_img, 0, 0, 0, 0, $new_w, $new_h, $width, $height);

                        // Delete the old image and write the newly resized one
                        @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                        imagejpeg($new_img,$pun_config['o_avatars_dir'].'/'.$id.'.tmp',85);

                        // Set the extension to JPG, since that's what the resized image is now
                        $extensions[0] = '.jpg';
                    }

                    // Something went wrong while attempting to load the image for processing
                    else
                    {
                        @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                        message('An unexpected error occured while attempting to resize the image.');
                    }
                }

                // No GD installed or image type not supported; can't resize
                else
                {
                    @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                    message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
                }
            }


            // Make sure the file isn't too big
            if (filesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp') > $pun_config['o_avatars_size'])
                message($lang_profile['Too large'].' '.$pun_config['o_avatars_size'].' '.$lang_profile['bytes'].'.');        

            // Delete any old avatars and put the new one in place
            @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
            @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[1]);
            @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[2]);
            @rename($pun_config['o_avatars_dir'].'/'.$id.'.tmp', $pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
            @chmod($pun_config['o_avatars_dir'].'/'.$id.$extensions[0], 0644);
        }
        else
            message($lang_profile['Unknown failure']);

        // Enable use_avatar (seems sane since the user just uploaded an avatar)
        $db->query('UPDATE '.$db->prefix.'users SET use_avatar=1 WHERE id='.$id) or error('Unable to update avatar state', __FILE__, __LINE__, $db->error());

        redirect('profile.php?section=personality&amp;id='.$id, $lang_profile['Avatar upload redirect']);
    }

    $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
    $required_fields = array('req_file' => $lang_profile['File']);
    $focus_element = array('upload_avatar', 'req_file');
    require PUN_ROOT.'header.php';

?>

Here is the code before updating:

else if ($action == 'upload_avatar' || $action == 'upload_avatar2')
{
    if ($pun_config['o_avatars'] == '0')
        message($lang_profile['Avatars disabled']);

    if ($pun_user['id'] != $id && $pun_user['g_id'] > PUN_MOD)
        message($lang_common['No permission']);

    if (isset($_POST['form_sent']))
    {
        if (!isset($_FILES['req_file']))
            message($lang_profile['No file']);
            
        $uploaded_file = $_FILES['req_file'];

        // Make sure the upload went smooth
        if (isset($uploaded_file['error']))
        {
            switch ($uploaded_file['error'])
            {
                case 1:    // UPLOAD_ERR_INI_SIZE
                case 2:    // UPLOAD_ERR_FORM_SIZE
                    message($lang_profile['Too large ini']);
                    break;

                case 3:    // UPLOAD_ERR_PARTIAL
                    message($lang_profile['Partial upload']);
                    break;

                case 4:    // UPLOAD_ERR_NO_FILE
                    message($lang_profile['No file']);
                    break;

                case 6:    // UPLOAD_ERR_NO_TMP_DIR
                    message($lang_profile['No tmp directory']);
                    break;

                default:
                    // No error occured, but was something actually uploaded?
                    if ($uploaded_file['size'] == 0)
                        message($lang_profile['No file']);
                    break;
            }
        }

        if (is_uploaded_file($uploaded_file['tmp_name']))
        {
            $allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png');
            if (!in_array($uploaded_file['type'], $allowed_types))
                message($lang_profile['Bad type']);

            // Determine type
            $extensions = null;
            if ($uploaded_file['type'] == 'image/gif')
                $extensions = array('.gif', '.jpg', '.png');
            else if ($uploaded_file['type'] == 'image/jpeg' || $uploaded_file['type'] == 'image/pjpeg')
                $extensions = array('.jpg', '.gif', '.png');
            else
                $extensions = array('.png', '.gif', '.jpg');

            // Move the file to the avatar directory. We do this before checking the width/height to circumvent open_basedir restrictions.
            if (!@move_uploaded_file($uploaded_file['tmp_name'], $pun_config['o_avatars_dir'].'/'.$id.'.tmp'))
                message($lang_profile['Move failed'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');

            // Now check the width/height
            list($width, $height, $type,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
            if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
            {

                // Attempt to resize if GD is installed with support for the uploaded image type, as well as JPG for the output
                $check_type = str_replace(array(1, 2, 3), array('IMG_GIF', 'IMG_JPG', 'IMG_PNG'), $type);
                if (extension_loaded('gd') && imagetypes() & constant($check_type) && imagetypes() & IMG_JPG)
                {

                    // Load the image for processing
                    if ($type == 1) $src_img = @imagecreatefromgif($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                    elseif ($type == 2) $src_img = @imagecreatefromjpeg($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                    elseif ($type == 3) $src_img = @imagecreatefrompng($pun_config['o_avatars_dir'].'/'.$id.'.tmp');

                    if ($src_img)
                    {

                        // Figure out new image dimensions based on the maximum width
                        $new_w = $pun_config['o_avatars_width'];
                        $ratio = $height * $new_w;
                        $new_h = $ratio / $width;

                        // Do the new dimensions, based on the maximum width, fit the maximum height? If not, recalculate
                        if ($new_h > $pun_config['o_avatars_height'])
                        {
                            $new_h = $pun_config['o_avatars_height'];
                            $ratio = $width * $new_h;
                            $new_w = $ratio / $height;
                        }

                        // Resize the image
                        $new_img = imagecreatetruecolor($new_w, $new_h);
                        imagecopyresampled($new_img, $src_img, 0, 0, 0, 0, $new_w, $new_h, $width, $height);

                        // Delete the old image and write the newly resized one
                        @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                        imagejpeg($new_img,$pun_config['o_avatars_dir'].'/'.$id.'.tmp',85);

                        // Set the extension to JPG, since that's what the resized image is now
                        $extensions[0] = '.jpg';
                    }

                    // Something went wrong while attempting to load the image for processing
                    else
                    {
                        @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                        message('An unexpected error occured while attempting to resize the image.');
                    }
                }

                // No GD installed or image type not supported; can't resize
                else
                {
                    @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                    message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
                }
            }
            else if ($type == 1 && $uploaded_file['type'] != 'image/gif')    // Prevent dodgy uploads
            {
                @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
                message($lang_profile['Bad type']);
            }

            // Make sure the file isn't too big
            if (filesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp') > $pun_config['o_avatars_size'])
                message($lang_profile['Too large'].' '.$pun_config['o_avatars_size'].' '.$lang_profile['bytes'].'.');        

            // Delete any old avatars and put the new one in place
            @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
            @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[1]);
            @unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[2]);
            @rename($pun_config['o_avatars_dir'].'/'.$id.'.tmp', $pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
            @chmod($pun_config['o_avatars_dir'].'/'.$id.$extensions[0], 0644);
        }
        else
            message($lang_profile['Unknown failure']);

        // Enable use_avatar (seems sane since the user just uploaded an avatar)
        $db->query('UPDATE '.$db->prefix.'users SET use_avatar=1 WHERE id='.$id) or error('Unable to update avatar state', __FILE__, __LINE__, $db->error());

        redirect('profile.php?section=personality&amp;id='.$id, $lang_profile['Avatar upload redirect']);
    }

    $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
    $required_fields = array('req_file' => $lang_profile['File']);
    $focus_element = array('upload_avatar', 'req_file');
    require PUN_ROOT.'header.php';

Last edited by xSDMx (2009-09-18 08:19:22)

Offline

Board footer

Powered by FluxBB