Phorum 5.2.11 Release Candidate 1 released! SECURITY FIXES

The first release candidate of Phorum-5.2.11 has been released today.
Its a bugfix release fixing a couple of issues unfortunately also a couple of security related issues, most of them being CSRF (also noted on Secunia).

Even though its a security release there have been A LOT of changes in the core to fix those and therefore we want to have a release candidate first.

As usual this release can be downloaded from our downloads page (development releases).

Please let us know any issues you might encounter with this version so the final release of 5.2.11 can be as bug-free as possible.

This is the excerpt from the changelog:

2009-04-22 09:12  ts77
	* additional CSRF protection in the admin. Now a new token is
	  generated when accessing the admin without a valid token in the
	  url. This token is timed out after 15 minutes and requires manual
	  click to continue.

   2009-04-21 09:19  mmakaay
	* Fix for #844: avoid the use of addslashes() for SQL escaping in
	  the Spam Hurdles module in favor of phorum_db_interact(), so other
	  database layers can be developed. Thanks to Radium Kolar for
	  noticing.

   2009-04-17 08:53  ts77
	* corrected message after posting in a moderatored forum, removing a
	  warning (fixing #845, thanks to Dready)

   2009-04-14 13:35  mmakaay
	* Fixed #843: No need to have images/* in the distro sanity check as
	  critical files, so I removed them from the file list. Thanks to
	  Mathias for the idea. While I was at it, I updated the distro
	  sanity check script to include new core distribution files in the
	  distro list.

   2009-04-13 23:03  mmakaay
	* Fix for #840: make database "charset" config parameter database
	  layer independant, by putting the check in the db layer sanity
	  check function instead of directly in the database sanity check
	  script. This makes it possible to ignore the charset configuration
	  parameter for database layers that do not require this parameter.

   2009-04-13 10:50  mmakaay
	* Fixed XSS issues from #841. Thanks to cicatriz for reporting them.

   2009-04-13 10:13  mmakaay
	* Fixed #842: make Spam Hurdles module database table name db layer
	  independent.

   2009-03-22 09:58  ts77
	* added support for custom headers to the mail functions and the
	  smtp-mail module, fixed message-id usage in smtp-mail module

   2009-03-20 11:51  mmakaay
	* Some fixes for doc generation.

   2009-03-15 11:13  ts77
	* fixed APC cache-layer (#782, thanks to hcgtv for the report)

   2009-03-14 05:01  brian
	* Added post form confirmation into message deletion process to
	  protect against CSRF attacks

   2009-03-14 01:44  ts77
	* Made allowed redirection URLs for the login a setting in general
	  settings (defaults to localhost and the phorum-url) and fixing
	  with it an "Arbitrary Redirection Vulnerability" reported by
	  Andrew Paterson

   2009-03-13 16:39  mmakaay
	* Implemented a new hook "css_filter" that can be used for
	  post-processing Phorum's CSS code (e.g. compression of the code).

   2009-03-11 01:14  mmakaay
	* Added a layer of protection against CSRF (Cross Site Request
	  Forgery) attacks. Thanks to WHK for notifying us about the
	  possible issues.

   2009-03-11 00:42  mmakaay
	* Fixed a possible XSS issue in the Spam Hurdles module. Thanks to
	  Andrew Paterson for notifying us about the issue.

   2009-03-10 00:03  mmakaay
	* Implemented a new hook "get_template_file", which can be used to
	  influence the phorum_get_template_file() function. The name of the
	  template to load can be updated (e.g. to change "index_new" to
	  "yourmod::index_new") and the template source file to use can be
	  returned (e.g. to tell Phorum that the "pm" template has to be
	  handled by a custom script named
	  "./mods/yourmod/pm_page_handler.php").

   2009-03-06 17:40  brian
	* Fixing XSS issue in control.php

   2009-02-18 17:08  ts77
	* added after_merge / after_split hooks for acting on thread
	  split/merge actions (fixing #828, thanks to so at
	  deluxe-design.at)

   2009-02-18 16:41  ts77
	* moved pm_message array out of the condition to have the data
	  available to the pm_sent hook in any case (fixing #827, thanks to
	  so at deluxe-design.at)

   2009-02-18 16:16  ts77
	* (re-)added storing the user_id for message attachments, fixing
	  #822

   2009-02-01 19:30  mmakaay
	* Fix for #892: mb_substr() replacement function contained a typo.
	  No big impact. The replacement function was not yet in use in core
	  code. Only the smtp_mail module calls mb_substr(). Thanks to
	  r.wetzlmayr for reporting the error!

   2009-01-28 19:41  mmakaay
	* Fixed the BBcode parser for some old PHP systems. A problem in PHP
	  caused the parser to not parse any BBcode tags. # The PHP problem
	  was that the "\0" in a string was seen as a filled # character
	  position. E.g. with $a="b", isset($a[1]) would yield TRUE. # This
	  threw of the bbcode parse tree generator.

---

Thomas Seifert



Edited 1 time(s). Last edit at 04/24/2009 04:15PM by Thomas Seifert.

For those that don't know what a CSRF attack is, you can read the Wikipedia page. The good news about CSRF is that it requires a privileged user to visit a page that contains the attacking URL in it. So, it is not a completely passive attack. Action is required. However, the bad news is, it is real. It can do real damage. Everyone out there is prone to these types of attacks, even sites like Amazon.

Issues like these are one reason that Phorum has always kept the admin login separate from the front end login. A CSRF attack on the admin would require that and admin user of the Phorum in question visits a site that has an attacking URL or script on it and then that they were also logged in to the admin. Now, alone our separation does not prevent CSRF. We admit that. But, these new changes do address the known issues with CSRF.

There are still things that could be done with CSRF attacks. However, for compatibility reasons between templates, we have decided to only focus on the destructive things that can be exploited. The few issues that remain are non-destructive actions. All of these will be addressed in a future release where, unfortunately, older templates are likely to be broken. We have some ideas for making a module that could bridge the gap between old templates and new, but nothing solid yet.

Phorum has had a decent record when it comes to security. There is only one bug free piece of software that I have ever seen (that was actually useful). We can only respond quickly and responsibly when there are such things brought to our attention.

I can assure you that any future Phorum development will be done with CSRF in mind.

Brian - Cowboy Ninja Coder - Personal Blog - Twitter