FluxBB 1.5.7 and 1.4.13 released

Franz · 2014-10-20 11:56:46

Security fixes!

Today we inform you about the release of two new FluxBB versions - v1.5.7 and v1.4.13.

These releases fix a critical security vulnerability that could potentially allow clever attackers to take over other user accounts on a FluxBB forum.
We also fixed another less severe issue related to redirects in login.php.

To keep the release (and accompanying patches small), we pushed back the planned and already implemented improvements to a v1.5.8 release due in November.

We want to thank everyone at ramhost.us for the very responsible disclosure of the vulnerability as well as their friendly communication. Patches were contributed by adaur and quy. Thanks, guys!

Please update your forums as soon as possible! As always, you can find complete download packages on the downloads page. Patches and changed files can be obtained on the upgrade page.

We apologize for the inconvenience and assure you that we are trying our best to avoid problems like these, now and in the future.

Security mailing list

In the days prior to this release, we have contacted several prominent community members and large FluxBB forums to give them time to patch their installs. To keep you all in the loop, we have created a new security mailing list. We will use that exclusively to contact you in case of security-relevant releases. You can sign up through a single click of a button in your site profile. Please consider doing so to stay informed and keep your forums up-to-date.

Visman · 2014-10-20 13:13:20

Error in https://fluxbb.org/download/releases/1. … 1.5.6.html
It isn't visible changes in admin_bans.php, login.php and misc.php.

Franz · 2014-10-20 14:37:02

I fixed all patch files. That was not easy, as I accidentally changed the line endings on one commit.

I hate release days...

chris98 · 2014-10-20 19:25:24

I don't mean to sound obnoxious, but that's exactly why I'm so wary of placing the data directly into the SQL query. Any chance of moving to prepared statements at some point Franz?

Anyhow, in the process of updating now - thanks.

Franz · 2014-10-20 21:08:59

Yes, 2.0.

joel · 2014-10-21 07:04:58

when will 20 will be out. I dont need to upgrade this.

chris98 · 2014-10-21 07:33:23

joel wrote:

when will 20 will be out. I dont need to upgrade this.

Well if you don't upgrade, your site will likely get hacked. I think it was mentioned in another thread that FluxBB 2.0 will not be out this year.

GWR · 2014-10-21 12:28:54

Thanks.

Just a suggestion: I don't know why, but I get announcements for MODs I downloaded (never installed, so not of importance for me) - I think I did not ask for that feature but got it. So I now ask, if you could add the feature of a "upgrade available" notification. Especially for security fixes this could be nice to have.

Serious and short: add "new version" notification (or tell me, where to activate it).

bye
Ron

Franz · 2014-10-21 13:02:00

Hey Ron, you have two options:
- either subscribe to this forum, or
- sign up for the security mailing list in your site profile.

P.S.: You can disable the "Auto-use modifications" feature in your site profile to disable the automatic signup for the modification release emails. You'll have to explicitly opt out of the ones you already receive on their respective mod pages, though.

joel · 2014-10-21 13:06:25

hope this is not made to cause panic, because i might end up putting my flux forum down for now. Removing it from my server will be safer.

what I have is heavily modified flux in there. And there will be problem to upgrade it just like that. I really dont have that time now.

Maybe the patches will help.

By the why i think i heard before flux is highly secure and safe. Haha maybe the word security means insucurity and is just to cover up. Haha

Last edited by joel (2014-10-21 13:09:49)

Franz · 2014-10-21 13:36:11

Yes, you should definitely upgrade.

If you want to fix the vulnerability in a simple way, apply this patch. It is literally a change in one line of code, which you have probably not modified.

grognard · 2014-10-21 17:22:44

Upgrade relatively smooth and painless. Thanks a ton Franz!

GWR · 2014-10-21 18:48:29

Thanks for the hint with the site profile...never looked at it (I am in a forum, so I just use name+email, maybe "forgot password").

@string escaping
Maybe one should run some command line tools to check for unsanitized strings in querys (string variables used without "escape"-command wrapping it).

@Joel
A tool is save as long nobody finds the hole to crawl through. Even if you make your tool safe, you might have trouble with the environment (see the various PHP security fixes the last weeks).

EDIT: spelling bee was there to help.

bye
Ron

Last edited by GWR (2014-10-21 18:48:54)

benjawi · 2014-10-22 11:54:39

Just to confirm... there's no database update is there? I really should update mine and will do. Currently using v 1.5.5.

chris98 · 2014-10-22 12:00:53

Nope. My database is from 1.5.3, and I got the message that it's as up-to-date as it can be when I changed the database version in include/common.php

benjawi · 2014-10-22 12:02:15

Ideal, will crack on with the upgrade then. Cheers for confirming.

Franz · 2014-10-22 12:41:44

chris98 wrote:

I got the message that it's as up-to-date as it can be when I changed the database version in include/common.php

Make sure FORUM_DB_REVISION is set to 20 in include/common.php, that makes sure your database is up-to-date.

chris98 · 2014-10-22 13:03:38

I changed it from 18 to 20 & I also changed the

define('FORUM_VERSION', '1.5.3');

to

define('FORUM_VERSION', '1.5.7');

but I get redirected to db_update still & I get the error:

[22-Oct-2014 13:00:08 UTC] Error: Your forum is already as up-to-date as this script can make it

in my error log.

If I remember correctly, this is exactly why I never changed it before - should I also update the data in the config table or should db_update do that?

Franz · 2014-10-22 13:12:44

db_update does that.

If you did not upload the newest version of db_update.php, it won't be able to do it for you, though.

chris98 · 2014-10-22 13:46:56

That's why it hasn't been working then - I was just somehow assuming the one from 1.5.3 would do it using some kind of fopen() function like checking for the version does in the admin panel.

I've ran the script and the actual upgrade itself was fairly smooth. However, it did cause a few hiccups with requiring custom caches and dropped my ranks table - but I think I've got all that sorted again now.

Studio384 · 2014-10-23 22:14:57

Dropped the rank table? What version of FluxBB have you been using prior to this, because of the sounds of it, you should have updated to 1.4.13 instead of 1.5.7 (unless, of course, you are using a Rank mod, in that case, indeed, the db_update will remove that table).

chris98 · 2014-10-24 06:53:28

You got it in one - I was using 1.5.3, but I was also using the ranks mod.

Visman · 2014-10-24 08:36:45

chris98 wrote:

I was using 1.5.3

This version is obsolete

chris98 · 2014-10-24 08:42:48

Visman wrote:

chris98 wrote:
I was using 1.5.3
This version is obsolete

Well... 1.5.3 with all the security updates.

joel · 2014-10-24 08:49:10

Franz wrote:

Yes, you should definitely upgrade.
If you want to fix the vulnerability in a simple way, apply this patch. It is literally a change in one line of code, which you have probably not modified.

@franz, i saw this code on the link ? where will i put this code? i mean what will i find and replace on profile.php?

@@ -55,7 +55,7 @@
message($lang_profile['Pass key bad'].' <a href="mailto:'.pun_htmlspecialchars($pun_config['o_admin_email']).'">'.pun_htmlspecialchars($pun_config['o_admin_email']).'</a>.');
else
{
- $db->query('UPDATE '.$db->prefix.'users SET password=\''.$cur_user['activate_string'].'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
message($lang_profile['Pass updated'], true);
}

Forums

#1 2014-10-20 11:56:46