You are not logged in.
- Topics: Active | Unanswered
#1 2014-10-20 11:56:46
- Franz
- Lead developer
- From: Germany
- Registered: 2008-05-13
- Posts: 6,724
- Website
FluxBB 1.5.7 and 1.4.13 released
Security fixes!
Today we inform you about the release of two new FluxBB versions - v1.5.7 and v1.4.13.
These releases fix a critical security vulnerability that could potentially allow clever attackers to take over other user accounts on a FluxBB forum.
We also fixed another less severe issue related to redirects in login.php.
To keep the release (and accompanying patches small), we pushed back the planned and already implemented improvements to a v1.5.8 release due in November.
We want to thank everyone at ramhost.us for the very responsible disclosure of the vulnerability as well as their friendly communication. Patches were contributed by adaur and quy. Thanks, guys!
Please update your forums as soon as possible! As always, you can find complete download packages on the downloads page. Patches and changed files can be obtained on the upgrade page.
We apologize for the inconvenience and assure you that we are trying our best to avoid problems like these, now and in the future.
Security mailing list
In the days prior to this release, we have contacted several prominent community members and large FluxBB forums to give them time to patch their installs. To keep you all in the loop, we have created a new security mailing list. We will use that exclusively to contact you in case of security-relevant releases. You can sign up through a single click of a button in your site profile. Please consider doing so to stay informed and keep your forums up-to-date.
Offline
#2 2014-10-20 13:13:20
- Visman
- Member
- From: Siberia
- Registered: 2010-07-10
- Posts: 1,465
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Error in https://fluxbb.org/download/releases/1. … 1.5.6.html
It isn't visible changes in admin_bans.php, login.php and misc.php.
My modification of FluxBB 1.5.11 - rev.82, Parserus, UserAgentAnalyzer
I speak only Russian
Offline
#3 2014-10-20 14:37:02
- Franz
- Lead developer
- From: Germany
- Registered: 2008-05-13
- Posts: 6,724
- Website
Offline
#4 2014-10-20 19:25:24
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
I don't mean to sound obnoxious, but that's exactly why I'm so wary of placing the data directly into the SQL query. Any chance of moving to prepared statements at some point Franz?
Anyhow, in the process of updating now - thanks.
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#6 2014-10-21 07:04:58
- joel
- Member
- Registered: 2014-07-04
- Posts: 440
Re: FluxBB 1.5.7 and 1.4.13 released
when will 20 will be out. I dont need to upgrade this.
Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>
Offline
#7 2014-10-21 07:33:23
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
when will 20 will be out. I dont need to upgrade this.
Well if you don't upgrade, your site will likely get hacked. I think it was mentioned in another thread that FluxBB 2.0 will not be out this year.
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#8 2014-10-21 12:28:54
- GWR
- Member
- From: Germany
- Registered: 2010-08-06
- Posts: 214
Re: FluxBB 1.5.7 and 1.4.13 released
Thanks.
Just a suggestion: I don't know why, but I get announcements for MODs I downloaded (never installed, so not of importance for me) - I think I did not ask for that feature but got it. So I now ask, if you could add the feature of a "upgrade available" notification. Especially for security fixes this could be nice to have.
Serious and short: add "new version" notification (or tell me, where to activate it).
bye
Ron
Offline
#9 2014-10-21 13:02:00
- Franz
- Lead developer
- From: Germany
- Registered: 2008-05-13
- Posts: 6,724
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Hey Ron, you have two options:
- either subscribe to this forum, or
- sign up for the security mailing list in your site profile.
P.S.: You can disable the "Auto-use modifications" feature in your site profile to disable the automatic signup for the modification release emails. You'll have to explicitly opt out of the ones you already receive on their respective mod pages, though.
Offline
#10 2014-10-21 13:06:25
- joel
- Member
- Registered: 2014-07-04
- Posts: 440
Re: FluxBB 1.5.7 and 1.4.13 released
hope this is not made to cause panic, because i might end up putting my flux forum down for now. Removing it from my server will be safer.
what I have is heavily modified flux in there. And there will be problem to upgrade it just like that. I really dont have that time now.
Maybe the patches will help.
By the why i think i heard before flux is highly secure and safe. Haha maybe the word security means insucurity and is just to cover up. Haha
Last edited by joel (2014-10-21 13:09:49)
Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>
Offline
#11 2014-10-21 13:36:11
- Franz
- Lead developer
- From: Germany
- Registered: 2008-05-13
- Posts: 6,724
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Yes, you should definitely upgrade.
If you want to fix the vulnerability in a simple way, apply this patch. It is literally a change in one line of code, which you have probably not modified.
Offline
#12 2014-10-21 17:22:44
- grognard
- Member
- From: UK
- Registered: 2014-09-18
- Posts: 66
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Upgrade relatively smooth and painless. Thanks a ton Franz!
Offline
#13 2014-10-21 18:48:29
- GWR
- Member
- From: Germany
- Registered: 2010-08-06
- Posts: 214
Re: FluxBB 1.5.7 and 1.4.13 released
Thanks for the hint with the site profile...never looked at it (I am in a forum, so I just use name+email, maybe "forgot password").
@string escaping
Maybe one should run some command line tools to check for unsanitized strings in querys (string variables used without "escape"-command wrapping it).
@Joel
A tool is save as long nobody finds the hole to crawl through. Even if you make your tool safe, you might have trouble with the environment (see the various PHP security fixes the last weeks).
EDIT: spelling bee was there to help.
bye
Ron
Last edited by GWR (2014-10-21 18:48:54)
Offline
#14 2014-10-22 11:54:39
- benjawi
- Member
- From: Plymouth, England
- Registered: 2013-03-30
- Posts: 81
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Just to confirm... there's no database update is there? I really should update mine and will do. Currently using v 1.5.5.
Offline
#15 2014-10-22 12:00:53
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Nope. My database is from 1.5.3, and I got the message that it's as up-to-date as it can be when I changed the database version in include/common.php
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#16 2014-10-22 12:02:15
- benjawi
- Member
- From: Plymouth, England
- Registered: 2013-03-30
- Posts: 81
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Ideal, will crack on with the upgrade then. Cheers for confirming.
Offline
#17 2014-10-22 12:41:44
- Franz
- Lead developer
- From: Germany
- Registered: 2008-05-13
- Posts: 6,724
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
I got the message that it's as up-to-date as it can be when I changed the database version in include/common.php
Make sure FORUM_DB_REVISION is set to 20 in include/common.php, that makes sure your database is up-to-date.
Offline
#18 2014-10-22 13:03:38
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
I changed it from 18 to 20 & I also changed the
define('FORUM_VERSION', '1.5.3');
to
define('FORUM_VERSION', '1.5.7');
but I get redirected to db_update still & I get the error:
[22-Oct-2014 13:00:08 UTC] Error: Your forum is already as up-to-date as this script can make it
in my error log.
If I remember correctly, this is exactly why I never changed it before - should I also update the data in the config table or should db_update do that?
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#19 2014-10-22 13:12:44
- Franz
- Lead developer
- From: Germany
- Registered: 2008-05-13
- Posts: 6,724
- Website
Offline
#20 2014-10-22 13:46:56
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
That's why it hasn't been working then - I was just somehow assuming the one from 1.5.3 would do it using some kind of fopen() function like checking for the version does in the admin panel.
I've ran the script and the actual upgrade itself was fairly smooth. However, it did cause a few hiccups with requiring custom caches and dropped my ranks table - but I think I've got all that sorted again now.
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#21 2014-10-23 22:14:57
- Studio384
- Former Developer
- From: Belgium
- Registered: 2012-04-11
- Posts: 681
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
Dropped the rank table? What version of FluxBB have you been using prior to this, because of the sounds of it, you should have updated to 1.4.13 instead of 1.5.7 (unless, of course, you are using a Rank mod, in that case, indeed, the db_update will remove that table).
Get Luna - With build-in upgrade from FluxBB
Profile Plus: A new FluxBB profile interface
Offline
#22 2014-10-24 06:53:28
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
You got it in one - I was using 1.5.3, but I was also using the ranks mod.
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#23 2014-10-24 08:36:45
- Visman
- Member
- From: Siberia
- Registered: 2010-07-10
- Posts: 1,465
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
I was using 1.5.3
This version is obsolete
My modification of FluxBB 1.5.11 - rev.82, Parserus, UserAgentAnalyzer
I speak only Russian
Offline
#24 2014-10-24 08:42:48
- chris98
- Member
- From: England, United Kingdom
- Registered: 2013-05-31
- Posts: 1,292
- Website
Re: FluxBB 1.5.7 and 1.4.13 released
chris98 wrote:I was using 1.5.3
This version is obsolete
Well... 1.5.3 with all the security updates.
Download Aura - Illuminate Your Community.
Why should I use Aura? | Aura demo | Convert to Aura
Offline
#25 2014-10-24 08:49:10
- joel
- Member
- Registered: 2014-07-04
- Posts: 440
Re: FluxBB 1.5.7 and 1.4.13 released
Yes, you should definitely upgrade.
If you want to fix the vulnerability in a simple way, apply this patch. It is literally a change in one line of code, which you have probably not modified.
@franz, i saw this code on the link ? where will i put this code? i mean what will i find and replace on profile.php?
@@ -55,7 +55,7 @@
message($lang_profile['Pass key bad'].' <a href="mailto:'.pun_htmlspecialchars($pun_config['o_admin_email']).'">'.pun_htmlspecialchars($pun_config['o_admin_email']).'</a>.');
else
{
- $db->query('UPDATE '.$db->prefix.'users SET password=\''.$cur_user['activate_string'].'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
message($lang_profile['Pass updated'], true);
}
Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>
Offline