Phorum-5.2.12a released - SECURITY FIX
Posted by Thomas Seifert
Phorum-5.2.12a released - SECURITY FIX July 22, 2009 08:31AM |
Admin Registered: 21 years ago Posts: 9,240 |
This release has the regular fixes and improvements and also has a security fix for another obscure XSS with CSS expressions in size and color BBCode tags (thanks to Paolo Pinto for reporting these).
Therefore we urge all Phorum users to upgrade as soon as possible.
As usual you can download this version from our downloads page.
Edit: We did a quick bugfix round after the release, prompting 5.2.12a ...
This is the excerpt from the changelog for 5.2.12a:
This is the excerpt from the changelog for 5.2.12:
Thomas Seifert
Edited 2 time(s). Last edit at 07/22/2009 02:04PM by Thomas Seifert.
Therefore we urge all Phorum users to upgrade as soon as possible.
As usual you can download this version from our downloads page.
Edit: We did a quick bugfix round after the release, prompting 5.2.12a ...
This is the excerpt from the changelog for 5.2.12a:
2009-07-22 17:54 ts77 * fixed event logging download issue (fixing #862, thanks to Markus Fischer) 2009-07-22 17:44 mmakaay * Fixed #858: we now use a more forgiving match algorithm for determining the running MySQL server version. 2009-07-22 17:21 mmakaay * Fixed #863: Prevent a PHP NOTICE in when running a CLI script. Thanks to Markus for the problem report.
This is the excerpt from the changelog for 5.2.12:
2009-07-22 11:58 ts77 * added code to have the admin stylesheet external with a hook to override the url (closing #860, though I don't see it as a final solution yet with its relative image urls). 2009-07-22 11:49 ts77 * add E_USER_ERROR to error reporting in admin (fixing #859, thanks to Markus Fischer) 2009-07-20 11:46 ts77 * Preliminary fix for XSS in size and color bbcode tags. Thanks to Paolo Pinto from SYSDREAM 2009-07-04 00:38 mmakaay * Work-around when there is no "&" in the php.ini arg_separator.input option. It that happens, then PHP won't correctly fill the $_GET array. E.g. "arg1=val1&arg2=val2" will end up as array('arg1' => 'val1&arg2=val2'). 2009-07-03 11:45 mmakaay * A fix for hosting providers that manage to provide a SCRIPT_URI that does not contain the actually requested HTTP_HOST, probably due to some mass virtual hosting rewrite rules. 2009-07-01 10:35 mmakaay * Fixed #853: A bbcode tag like [url=http://www.phorum.org \] (note the space in front of the "]" character) caused the bbcode formatting to trip. Thanks to Serdar for the bug report! 2009-07-01 09:05 mmakaay * The event logging module is now used for logging blocked form posts. Also, a bugfix was done on the iscramble code. In some cases, there were duplicate id's in use for the blocks that hold the scrambled js code, causing the js md5 signing feature to fail. 2009-06-30 14:49 mmakaay * Fixed the forum picker list for the advanced search page in a vroot environment. Before this change, the list of searchable forums was empty. 2009-06-09 06:22 brian * Added hook to allow overriding of the maximum upload file size. 2009-05-29 17:29 mmakaay * Fixed a permission checking issue for the file.php script. Read access for the forum in which the file is stored was not correctly checked. Thanks to Phorum user "FF" for finding the bug.
Thomas Seifert
Edited 2 time(s). Last edit at 07/22/2009 02:04PM by Thomas Seifert.
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 10:38AM |
Registered: 17 years ago Posts: 97 |
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 10:53AM |
Admin Registered: 19 years ago Posts: 8,532 |
Yes, you are right. The extension has been removed from the package. From the changelog:
"Removed the PHP Phorum extension. It is hard to maintain this parallel C-code, reverse threading did not yet work at all and changes in the core code have made URL generation a lot friendlier already, by using URL templates instead of separate phorum_get_url() calls for those cases where a lot of URLs had to be generated."
Besides this, there was another incompatibility that caused the extension to fail in some cases. Maybe the extension will return in the future, but for now we decided to remove it.
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
"Removed the PHP Phorum extension. It is hard to maintain this parallel C-code, reverse threading did not yet work at all and changes in the core code have made URL generation a lot friendlier already, by using URL templates instead of separate phorum_get_url() calls for those cases where a lot of URLs had to be generated."
Besides this, there was another incompatibility that caused the extension to fail in some cases. Maybe the extension will return in the future, but for now we decided to remove it.
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 11:26AM |
Registered: 17 years ago Posts: 97 |
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 11:35AM |
Admin Registered: 21 years ago Posts: 9,240 |
that remark was actually added to the changelog for trunk (aka 5.3) which is available at
[www.phorum.org]
The one for the stable tree is
[www.phorum.org]
(both contain the whole history, not only for that release)
Thomas Seifert
Edited 1 time(s). Last edit at 07/22/2009 11:35AM by Thomas Seifert.
[www.phorum.org]
The one for the stable tree is
[www.phorum.org]
(both contain the whole history, not only for that release)
Thomas Seifert
Edited 1 time(s). Last edit at 07/22/2009 11:35AM by Thomas Seifert.
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 11:36AM |
Admin Registered: 19 years ago Posts: 8,532 |
In Trac you have access to all changes. It can be found under the menu item "DEVELOPMENT".
5.2 tree changelog
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
5.2 tree changelog
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 12:31PM |
Registered: 17 years ago Posts: 97 |
Quote
Thomas Seifert
2009-07-04 00:38 mmakaay * Work-around when there is no "&" in the php.ini arg_separator.input option. It that happens, then PHP won't correctly fill the $_GET array. E.g. "arg1=val1&arg2=val2" will end up as array('arg1' => 'val1&arg2=val2').
I think this change causes a NOTICE when using from a non-webserver sapi, e.g. cli, see [trac.phorum.org] .
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 01:23PM |
Admin Registered: 19 years ago Posts: 8,532 |
I think that changeset 4424 should fix the issue.
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Phorum-5.2.12 released - SECURITY FIX July 22, 2009 02:05PM |
Admin Registered: 21 years ago Posts: 9,240 |
Re: Phorum-5.2.12a released - SECURITY FIX July 24, 2009 08:27AM |
Registered: 17 years ago Posts: 97 |
Just realized that "Prune Messages" doesn't work anymore, gives a Fatal Error, see [trac.phorum.org] .
Re: Phorum-5.2.12a released - SECURITY FIX July 25, 2009 06:05AM |
Admin Registered: 21 years ago Posts: 9,240 |
Re: Phorum-5.2.12a released - SECURITY FIX July 25, 2009 06:27AM |
Registered: 17 years ago Posts: 97 |
Sorry, only registered users may post in this forum.