FluxBB 1.2.19 and 1.3 hotfixes released

Smartys · 2008-07-10 23:40:37

It's that time again: new release time!

Recently, several security vulnerabilities in both the stable (1.2) and development (1.3) branches of FluxBB have come to our attention. Today, we have released a new version of 1.2 and hotfixes for 1.3 to address these vulnerabilities.

1.2.19 addresses three fairly serious security vulnerabilities and provides a fix for an issue with userlist.php. It is a recommended upgrade for all 1.2 installs, both FluxBB and PunBB.

4 hotfixes have been released for 1.3 Beta 2. These hotfixes address various security concerns in the beta. It is recommended that all users of the beta install these hotfixes: when your install checks for updates, either manually or automatically, you should be prompted to do so.

The FluxBB Team would like to thank Stefan Esser, who reported the 1.3 vulnerabilities, and Dan Crowley, who reported the vulnerability in 1.2's parser.

raptrex · 2008-07-11 04:08:32

yay for updates!

kankan · 2008-07-11 09:00:53

I'll update my forums.

Thank you.

dns777 · 2008-07-11 10:18:37

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Last edited by dns777 (2008-07-11 13:43:29)

Bad Harvest · 2008-07-11 14:00:39

dns777 wrote:

This is rather annoying, since it refuses the creation of clickable images

Agreed! I don't have images enabled in my forum, but linked images are very useful and I use them a lot elsewhere. In fact, linked images are required to conform to Flickr's ToS when using an image from your Flickr photostream.

chris · 2008-07-11 14:53:43

Just a tip for anyone else having this problem.

I uploaded the changefiles for 1.2.19 but my install still said 1.2.18. This is because the database update script was missing from the changed files zip. To fix this:

0) Upload the changed files to your Flux 1.2.18 install
1) UPDATE punbb_config /*(mine is a longtime pun install, the new flux tables probably have a different prefix)*/ SET o_cur_version = '1.2.19';
2) Delete file (your install path)/cache/cache_config.php
3) Load any Flux page in your browser.

You now have the newest release, no updates available.

anni · 2008-07-11 16:46:27

smartys plz release a one click 12_to_1219_update.php file

Meow · 2008-07-11 17:33:52

.19

...

Is it a race between FluxBB 1.2(.19) and phpBB 2.0(.23)?

Mark · 2008-07-11 18:02:18

Meow wrote:

.19
...
Is it a race between FluxBB 1.2(.19) and phpBB 2.0(.23)?

No, its essential security updates.

artoodetoo · 2008-07-11 18:41:45

Please explain why [ url ] some-other-tags [ /url ] has a vulnerability. I can't realize it, sorry!

Lamonte · 2008-07-11 18:59:36

Where do I download from, main website?

Coordinator · 2008-07-11 19:16:09

artoodetoo wrote:

Please explain why [ url ] some-other-tags [ /url ] has a vulnerability. I can't realize it, sorry!

Realy, why?

Smartys · 2008-07-11 19:59:38

dns777 wrote:

Concerning 1.2.19, in include/parser.php :

        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');

This is rather annoying, since it refuses the creation of clickable images, like this:

[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]

Quite right. And I was hoping to have a release without an issue too.
We'll investigate and see whether we can improve the check to be less overzealous.

raptrex · 2008-07-11 20:53:42

Lamonte wrote:

Where do I download from, main website?

you can or go into install extentions on your forum

foxmask · 2008-07-11 22:51:02

Smartys wrote:

dns777 wrote:
Concerning 1.2.19, in include/parser.php :
        if (preg_match('#\[url\](.*?)([\[]+?)(.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)([\[]+?)(.*?)\](.*?)\[/url\]#', $text) || preg_match('#\[url=(.*?)\](.*?)([\[]+?)(.*?)\[/url\]#', $text))
                message('BBCode can not be nested within [url] tags.');
This is rather annoying, since it refuses the creation of clickable images, like this:
[url=http://bla.com/big_image.jpg][img]http://bla.com/thumbnail.jpg[/img][/url]
Quite right. And I was hoping to have a release without an issue too.
We'll investigate and see whether we can improve the check to be less overzealous.

i met the same issue with
[ url= ... ] [ b ] [ color = ] text [/ color ] [ / b ] [ / url ]

anni · 2008-07-12 06:05:44

I cant even post two links after each other in 1.2.19:(

Like:

FluxBB FluxBB

Error Message:

BBCode can not be nested within [url] tags.

Last edited by anni (2008-07-12 06:09:30)

Smartys · 2008-07-12 11:35:49

anni: Thanks for the report.
Everyone: From this point forward, I'm going to be deleting any posts that report the same issue. We don't need any "me too" posts. We know there's an issue.

achos · 2008-07-12 20:29:18

hi
how update SVN 1.3 version ? thx

Last edited by achos (2008-07-12 20:29:33)

fpouget · 2008-07-12 22:57:38

Hi,

There is not an issue on edit.php and extern.php ? I can figure out where are the difference in http://fluxbb.org/download/releases/1.2 … .2.19.html same think for http://fluxbb.org/download/releases/1.2 … .2.18.html

Smartys · 2008-07-13 01:55:35

fpouget: edit.php has a > added, extern.php has a PunBB changed to FluxBB (the other change, as you said, appears to not affect anything).

Ledo · 2008-07-15 13:49:59

What is the policy on hotfixes.

Will installing hotfixes over extensions system be a common procedure in the future or will hotfixes be implemented in every new release of Fluxbb.

liquidat0r · 2008-07-15 14:56:57

Hotfixes will fix any issues found before a new release is made. Upon updating to that new release, the hotfixes will be removed and replaced by hard-code in the new release.

Last edited by liquidat0r (2008-07-15 14:57:20)

Forums

#1 2008-07-10 23:40:37

FluxBB 1.2.19 and 1.3 hotfixes released

#2 2008-07-11 04:08:32

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#3 2008-07-11 09:00:53

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#4 2008-07-11 10:18:37

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#5 2008-07-11 14:00:39

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#6 2008-07-11 14:53:43

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#7 2008-07-11 16:46:27

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#8 2008-07-11 17:33:52

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#9 2008-07-11 18:02:18

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#10 2008-07-11 18:41:45

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#11 2008-07-11 18:59:36

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#12 2008-07-11 19:16:09

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#13 2008-07-11 19:59:38

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#14 2008-07-11 20:53:42

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#15 2008-07-11 22:51:02

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#16 2008-07-12 06:05:44

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#17 2008-07-12 11:35:49

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#18 2008-07-12 20:29:18

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#19 2008-07-12 22:57:38

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#20 2008-07-13 01:55:35

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#21 2008-07-15 13:49:59

Re: FluxBB 1.2.19 and 1.3 hotfixes released

#22 2008-07-15 14:56:57

Re: FluxBB 1.2.19 and 1.3 hotfixes released

Board footer