FluxBB 1.5.1 released

Franz · 2012-11-13 15:15:13

UPDATE: We discourage you from upgrading to v1.5.1, as it contains changes that may break your forum if you have modifications installed or custom integrations in place. v1.5.2 will be released with a fix very soon.

I am very happy to announce the release of FluxBB v1.5.1.

This is a general maintenance release which (besides 18 bugfixes and 9 enhancements) also fixes a minor security issue that could potentially cause XSS vulnerabilities when used together with a SQL injection attack. We recommend updating.

Other important changes in this version:

You can also take a look at the detailed changelog.

As always, you can download this release on our download page.
Changed files and patches are also available on the upgrade page.

I want to use this opportunity to thank everybody who has contributed to this release: adaur, arw, daris, JohnLewis, Koos, Mr.Anderson, Oldskool, Paul, quy and Studio384. Cheers!

It is recommended to do a backup of both your files and database before upgrading!

If you have any problems or spot any errors please let us know!

And for everybody interested in v2.0: we will reach the first alpha milestone this month, so stay tuned for some exciting news!

Last edited by Franz (2013-01-09 11:29:45)

Studio384 · 2012-11-13 15:27:22

Yay! I'm working on the Dutch translation.

Haha, the first 1.5.1 modification is available.

Last edited by Studio384 (2012-11-13 15:48:23)

Pierre · 2012-11-14 05:30:22

Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a

Studio384 · 2012-11-14 05:44:30

Pierre wrote:

Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a

Yes, that's the right comment.

Visman · 2012-11-14 07:09:40

Then what is it?

		if ($pun_user['is_admmod'])
			$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

Franz · 2012-11-14 11:40:41

Yes, it's that one.

As I wrote, it's only exploitable in combination with SQL injection. Somebody got hacked because of a SQL injection vulnerability in a modification.

Visman · 2012-11-15 12:46:29

Why use two Content-Type?

Franz · 2012-11-15 13:03:24

Any chance you have a custom style or a custom template file? You should remove the content type from the template, it's now generated in header.php.

Visman · 2012-11-15 13:11:58

I ask about this forum
Look in the top part of the picture.
---
It seems, the function handle_url_tag works at localhost incorrectly

if delete

	if ($bbcode === false && url_valid($full_url) === false)
		$bbcode = true;

- all ok

Visman · 2012-11-15 13:25:49

Possibly, the function url_valid returns False for localhost

adaur · 2012-11-15 13:38:27

Franz wrote:

Yes, it's that one.
As I wrote, it's only exploitable in combination with SQL injection. Somebody got hacked because of a SQL injection vulnerability in a modification.

That's me, indeed. It is not a vulnerability itself, but it can help in addition to a XSS.

@Pierre: yes it is, but as the fix is very easy, it would be a shame not to solve it.

@Visman: what about

	if ($bbcode === false && url_valid($full_url) === false && parse_url($full_url, PHP_URL_HOST) != 'localhost')
		$bbcode = true;

Last edited by adaur (2012-11-15 13:47:41)

Visman · 2012-11-15 15:12:35

adaur wrote:

@Visman: what about

	if ($bbcode === false && url_valid($full_url) === false && parse_url($full_url, PHP_URL_HOST) != 'localhost')
		$bbcode = true;

works, but I think it is necessary to correct function url_valid

adaur wrote:

That's me, indeed. It is not a vulnerability itself, but it can help in addition to a XSS.

Interestingly, why only in one place added pun_htmlspecialchars?

Visman · 2012-11-15 15:59:27

bug

[url]http://президент.рф/[/url]

-->
http://президент.рф/

adaur · 2012-11-15 17:25:38

@Visman: sorry, I thought url_valid was a native function. Let's continue the discussion here .

Interestingly, why only in one place added pun_htmlspecialchars?

If you see some more unprotected fields, please report them, thanks!

Edit: you're right, as always

		if ($pun_user['is_admmod'])
			$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

Last edited by adaur (2012-11-15 17:32:01)

sklerder · 2012-11-15 23:13:02

Studio384 wrote:

Pierre wrote:
Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a
Yes, that's the right comment.

Hello,

Excuse me, but why is the IP address escaped at this line, but not in the following lines :

if ($pun_user['is_admmod'])
$user_info[] = '<dd><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></dd>';
if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'] && $pun_user['g_send_email'] == '1')
$user_contacts[] = '<a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['Email'].'</a>';

May be I miss something, but what ?

Last edited by sklerder (2012-11-16 07:31:08)

Franz · 2012-11-15 23:42:59

Visman wrote:

I ask about this forum

Whoops, my bad. Fixed now, it had to do with our site integration.

korui · 2012-11-16 17:35:32

I'm waiting for 2.0

lord.nitos · 2012-11-16 18:43:08

korui wrote:

I'm waiting for 2.0

Like everybody

sklerder · 2012-11-16 22:05:57

Hi !

sklerder wrote:

Studio384 wrote:
Pierre wrote:
Which commit fixes that XSS and SQL injection issue you mentioned? Is it this one? That seems hard to exploit: https://github.com/fluxbb/fluxbb/commit … 4d37d36d5a
Yes, that's the right comment.
Hello,
Excuse me, but why is the IP address escaped at this line, but not in the following lines :
if ($pun_user['is_admmod'])
$user_info[] = '<dd><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></dd>';
if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'] && $pun_user['g_send_email'] == '1')
$user_contacts[] = '<a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['Email'].'</a>';
May be I miss something, but what ?

I believe you didn't see my question, Franz ...

JohnLewis · 2012-11-16 22:20:26

lord.nitos wrote:

korui wrote:
I'm waiting for 2.0
Like everybody

And it's a bit away. Alpha1 won't be usable and I doubt it (unless there is a something I am missing) will be usable until Beta1.

sklerder wrote:

Hi !
sklerder wrote:
Studio384 wrote:
Yes, that's the right comment.
Hello,
Excuse me, but why is the IP address escaped at this line, but not in the following lines :
if ($pun_user['is_admmod'])
$user_info[] = '<dd><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></dd>';
if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'] && $pun_user['g_send_email'] == '1')
$user_contacts[] = '<a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['Email'].'</a>';
May be I miss something, but what ?
I believe you didn't see my question, Franz ...

We have found a few of them. Check to see if it has been solved yet, if not report it in the ticket opened in the tracker regarding this issue. You can find it under 1.5.2.

Spiky · 2012-11-19 16:03:36

Visman wrote:

bug
[url]http://президент.рф/[/url]
-->
http://президент.рф/

Hi,
Is what it was fixed?
It's a little embarrassing when working locally.

Thanks.

JohnLewis · 2012-11-19 16:40:25

Spiky wrote:

Visman wrote:
bug
[url]http://президент.рф/[/url]
-->
http://президент.рф/
Hi,
Is what it was fixed?
It's a little embarrassing when working locally.
Thanks.

Please view the appropriate ticket under 1.5.2.

Pierre · 2012-11-23 09:28:21

I just updated the German translation. Note: as FluxBB switched to the strict XHTML mode for unknown reason tags like are no longer valid (use instead).

Btw: Why switch to the XML based XHTML instead of HTML (5)?

Franz · 2012-11-24 21:20:32

Thanks for the contribution, Pierre!

Yeah, I'm beginning to wonder whether the move to XHTML was so brilliant. It can cause really ugly errors on some pages and it isn't the latest standard anymore. Potentially breaking quite a few mods for such an un-needed (in the sense of importance) change is rather uncool.

EDIT: But then, we've always boasted ourselves with serving valid XHTML on our frontpage (until a few days ago), so I guess it does make sense.

sklerder · 2012-11-24 21:46:50

Hello, Franz !

May be it makes sense, but I feel it was to early, and "modders" weren't prepared to this

Actually, I'm fighting with Daris's Patcher, which is really broken with this change.

And, I suppose, it is not the only mod broken due to XHTML

I think that this choice should have been postponed to FluxBB 2.0, because mod will have to be rewritten for them to work with this new version, but actually, for a minor update, we have big rewrites on mods and a real upgrade to do, with plenty of tests ...

But thats only my point of view

Forums

#1 2012-11-13 15:15:13

FluxBB 1.5.1 released

#2 2012-11-13 15:27:22

Re: FluxBB 1.5.1 released

#3 2012-11-14 05:30:22

Re: FluxBB 1.5.1 released

#4 2012-11-14 05:44:30

Re: FluxBB 1.5.1 released

#5 2012-11-14 07:09:40

Re: FluxBB 1.5.1 released

#6 2012-11-14 11:40:41

Re: FluxBB 1.5.1 released

#7 2012-11-15 12:46:29

Re: FluxBB 1.5.1 released

#8 2012-11-15 13:03:24

Re: FluxBB 1.5.1 released

#9 2012-11-15 13:11:58

Re: FluxBB 1.5.1 released

#10 2012-11-15 13:25:49

Re: FluxBB 1.5.1 released

#11 2012-11-15 13:38:27

Re: FluxBB 1.5.1 released

#12 2012-11-15 15:12:35

Re: FluxBB 1.5.1 released

#13 2012-11-15 15:59:27

Re: FluxBB 1.5.1 released

#14 2012-11-15 17:25:38

Re: FluxBB 1.5.1 released

#15 2012-11-15 23:13:02

Re: FluxBB 1.5.1 released

#16 2012-11-15 23:42:59

Re: FluxBB 1.5.1 released

#17 2012-11-16 17:35:32

Re: FluxBB 1.5.1 released

#18 2012-11-16 18:43:08

Re: FluxBB 1.5.1 released

#19 2012-11-16 22:05:57

Re: FluxBB 1.5.1 released

#20 2012-11-16 22:20:26

Re: FluxBB 1.5.1 released

#21 2012-11-19 16:03:36

Re: FluxBB 1.5.1 released

#22 2012-11-19 16:40:25

Re: FluxBB 1.5.1 released

#23 2012-11-23 09:28:21

Re: FluxBB 1.5.1 released

#24 2012-11-24 21:20:32

Re: FluxBB 1.5.1 released

#25 2012-11-24 21:46:50

Re: FluxBB 1.5.1 released

Board footer