FluxBB 1.5.8 released

Franz · 2015-01-23 14:45:27

It is my pleasure to announce the long-awaited release of FluxBB version 1.5.8.

Security fix

This release fixes a minor security issue in install.php. The installer could be tricked into loading and executing any file named install.php. Abuse of this vulnerability could have only been possible in combination with other security issues that would have allowed an attacker to create files with that name.
If you want to stay on the safe side no matter what, just delete your install.php file by hand or do it from the admin panel after the upgrade.

Anti-spam addons

As a special present, we made it super-easy to install anti-spam modifications by providing a few hooks where these modifications can hook into. All you will need to do to install this new generation of anti-spam tools is to copy one or two files into certain folders of your FluxBB installation. We hope this change encourages the community to create a broad range of more diverse antispam tools, so that spammers will hit unpredictable obstacles when targetting FluxBB. As an example, I have created a modification that adds Google's new reCAPTCHA system to your registration page. Expect more documentation in the next days.

Other highlights

The new version also brings some security hardening, fine-tuning, several small features and usability improvements to your forum. Here's a list of the highlights:

Everything else can be found in the full changelog.

I am very grateful for the following community members due to their help and support in getting this version ready: adaur, altjo, Askelon, chris98, GeonoTron2000, jmleroux, Pierre, quy, seven, Studio384, Visman and 123.
Also, a big thanks to the High-Tech Bridge Security Research Lab for their responsible cooperation in getting the vulnerability fixed.

So, go ahead and download the new version on the downloads page. You can find patches on the upgrade page. As always, don't forget to make a backup of both your files and your database before the upgrade.

Thank you for using FluxBB!

Last edited by Franz (2015-01-23 14:52:52)

Gamer · 2015-01-23 15:51:15

Great! Thanks guys!

chris98 · 2015-01-23 17:46:40

That's awesome to see so many great updates added!

As promised, here is my addon: https://fluxbb.org/resources/mods/brute … in-system/

Just a note: When I attempted to download a fresh copy of 1.5.8 for install and went to the index.php file, I did not get redirected to install.php like normal. Instead, I received a completely blank page. I had to manually navigate to the install page to install FluxBB.

Error · 2015-01-23 23:41:23

Great news for this, awesome work FluxBB.

123 · 2015-01-24 14:03:23

It is good news for FluxBB community. I waiting on FluxBB 2 alpha 2. XD

Franz · 2015-01-24 21:21:53

Coming very soon.

meetdilip · 2015-01-24 21:24:27

Good luck

Error · 2015-01-24 23:22:26

Franz wrote:

Coming very soon.

How soon is very soon?

wiidu · 2015-01-28 07:28:57

Very good

Franz · 2015-01-28 15:45:42

If you downloaded the new version here from the site, please download it again or make sure that your install.php file is deleted.

Due to a mishap during the release process, the actual security fix was not included in the package.

I apologize.

micbr · 2015-02-02 04:57:55

Brilliant release. Kudos to the team. Updated the forums yesterday afternoon, took about half an hour since some of our files needed to be patched, but the update process itself only had the forums down for about 10 minutes.

I love the idea of being able to move a lot of this modified spam protection code out of the core files as well. We use the old Honeypot + StopForumSpam protection method which still works perfectly with 1.5.8, but of course doesn't take advantage of the new add-on method. I had planned to produce a new add-on that provides this functionality, but it looks like this mod actually replaces a couple of fields (username, for one), so I'm not sure if I'll be able to do something similar in an add-on alone.

Franz · 2015-02-02 10:55:20

Should be possible with a little bit of JavaScript?

micbr · 2015-02-02 14:12:05

That would work for altering the HTML fields, but I haven't looked into altering the existing PHP in register.php. The username field for example is renamed honeypot, and the PHP in register.php has to be modified to receive data from the field named honeypot, not username as it would normally.

That said, it probably seems rather simple for someone knowledgeable about PHP. I'll investigate solutions for this one when I have a little more time.

Last edited by micbr (2015-02-02 14:13:17)

chris98 · 2015-02-02 15:55:32

Basically, you find the HTML input with the attribute: name="req_username"

And you change the quoted part to whatever you want. You then find all occurences of $_POST['req_username'] and replace the req_username with whatever the filed name is.

GWR · 2015-02-02 22:01:39

your "addon"-compatible code will have to get processed before the "real" processing takes place: so before validation. You might replace the given variables in $_REQUEST/$_POST ... but this might a bit whacky-hacky.

Using the above you do not need to change/adjust the existing php-code. You route it around the existing code: replace the form content via jscript and before the board wants to process incoming post data, you replace it again. Not nice, but possible.

A better solution (but also improveable) is to post the to-render-content of a form to all listening addons (via "reference") at let them modify them on their own (you will have to trust your addons). For the current revisions this approach is not possible.

bye
Ron

Newman · 2015-02-03 08:43:26

Great Work Franz

chris98 · 2015-02-03 09:39:11

You might replace the given variables in $_REQUEST/$_POST ... but this might a bit whacky-hacky.

To clarify a bit more on this for the OP... I would strongly discourage the use of $_REQUEST. For 1 reason alone, REQUEST does not just cover GET and POST (which is a bad idea just those), but also other things like $_COOKIE. And if the cookie value exists, it overrides the POST value.

Essentially, it's a mishmash of some of the available Superglobals.

Last edited by chris98 (2015-02-03 09:39:24)

GWR · 2015-02-03 11:56:29

Things would be easier with the existence of some globals ($postData) ... or the other thing I suggested (passing the data to the hook listeners and let them modify on the data on their own).

@$_COOKIE and overrides
Never knew that. interesting.
In our case this should not matter as a "filled"-inputfield (username) is only of interest for not-logged-in-users (OP wrote something about register.php).

Before understanding me the wrong way: I absolutely agree with Chris, it is not the best thing to play with superglobals that way. Maybe the next minor release should add some more hooks. Will open up an issue for this on github (hooks need params - so we could have an "adsense after x'th post" addon and the likes).

bye
Ron

Audiofeeline · 2015-02-04 03:48:02

Am I the only one who think your anti-spam hook is a big mistake ?...
Why won't you just add something that works and can be accessible for blind people ?
Is that mean there's no protection by default ? This is the reason FluxBB is spammed.
It's easy to stop/fight spam but you just opened a door for them.
I'm sure there will be more attacks in few weeks.

GWR · 2015-02-04 08:02:32

Why won't you just add something that works and can be accessible for blind people ?

Because "just doing" is not working successfully for all people: feel free to propose a bullet proof captcha-system using no jscript/flash/whatever, which does work for (color) blind and deaf people. Also the system should not stop mentally retarted people from using it.
There is no 100% reliable captcha-solution fulfilling all of the requirements. So there is of course no implementation in fluxbb which pretends to do exactly this.

Also the pure functionality of a bb is: writing posts in threads. This is done. Adding "extras" is a thing addons/modules should handle. The disadvantage of fluxbb is the missing ability to easily extend it - this might change again in the future or not.

If fluxbb provides a custom anti-spam-solution one could assure that it is tried to get broken hours after release. That is the problem of all more or less popular (open source) software.

So imho: I am not thinking that the anti-spam hook is a mistake. Every publically accessible software should not be administered by users without any knowledge. There is no "install & run safe forever" button to click on.

Your post brought up an idea in my mind (which wont be turned into reality): the admin panel should have a subpage displaying a categorized list (fetched from remote) of addons. There are some "basic categories" (anti-spam, moderation & admin, topic/thread functionality, others) and even a portion "essential" - which lists things you should choose from to have at least a minimum security.

bye
Ron

Audiofeeline · 2015-02-04 11:32:39

GWR wrote:

feel free to propose a bullet proof captcha-system using no jscript/flash/whatever

« Question captcha » works. I've been using this for 10 years and still no spam.

An unprotected CMS will be always attaked. I don't know if there's people with large people but those bots are downgrading performances of servers. It's a big problem and spammer will keep trying till the door could be open somewhere.

As I already said, security isn't an option.

Few spammers would pay people to resolve « question captcha », give it a try and I promise you that 99% of spambots will be blocked.

This way most of spammer will stop trying on FluxBB.

chris98 · 2015-02-04 11:40:43

« Question captcha » works. I've been using this for 10 years and still no spam.

That's a personal opinion. Personal opinions differ. You may say that this new anti spam system is terrible, but have you actually used it? And secondly, how do you know it's terrible, you don't have proof. It hasn't even been out for very long anyway, and you only have proof from your forum.

Most spammers are bots. I know this, because I've blocked all access that bots have to my registration system (and posting, but guests can't post anyway). The result? Two spammers in three years. So if most of them are bots, then this kind of stuff should easily block them.

GWR · 2015-02-04 12:38:29

I myself just use a question-antibot-system (see the vsabr-thread) and spammers come through ... less than 2-3 per month. I have guest posting allowed (but with question-captcha) and the spam posts come from registered users by 90+%. So this makes me think that the registered users are "human registered" ones - but ones who do not even bother to check if they are able to post as guest.

Posting as guest is even worse for moderators/admins than posting as user. You can delete all of a users post with some clicks, but for guests, you have to delete each of them manually ...

Back to your "why no antispam" question: if you preinstall such a functionality, do you really think many of the admins will really customize their questions? They will reuse existing ones - and bots will just have to store the most common default question-answer-pairs to circumvent the security measurement.

Not providing such a functionality by default makes admins aware of the situation and they will have to decide: use another bb software (having similar issues regarding their captcha-solutions), or try one of the existing addons/modules.
I cannot answer which is the best option.

bye
Ron

Last edited by GWR (2015-02-04 12:39:01)

Audiofeeline · 2015-02-04 12:40:02

I use this on many CMS/Websites (in porn industry). Spamming is a big problem and this solution is the best I've found. I use it on FluxBB and there's no spam.

All developpers have made great work with FluxBB but I really think we have to reconsider security.

Most of spam is automated. The only thing that could happen with this solution is a list of question/answer or maybe an IA but seriously, do you think spammers waste their time for that ?

If we imagine different questions on each installation of FluxBB there will be thousand of different answers.

Blocking IP isn't a solution too cause of dynamic ones.

We don't have to give up against spamming.

Audiofeeline · 2015-02-04 13:11:36

Yes, this registered users that spam. Captcha on register page kills 90% of bots as you say, I use this MOD too.

Human spam can easly be deleted. Guest posting is used on few boards I think.

Maybe we could add a plugin in default FluxBB package and maybe ask for admin to add question(s) in installation process will make FluxBB more secure.

Last edited by Audiofeeline (2015-02-04 13:14:48)

Forums

#1 2015-01-23 14:45:27