Phorum-5.2.11 Released - SECURITY FIX

This release has the regular improvements for modules with added hooks and parameters, fixes quite a couple of bugs reported and also has protection for the more recent web threats like CSRF and Mime-Sniffing issues.

Therefore we urge all Phorum users to upgrade as soon as possible.

If you see problems with redirection after login to some other page outside of phorum please note this entry:

       * Made allowed redirection URLs for the login a setting in general
	  settings (defaults to localhost and the phorum-url) and fixing
	  with it an "Arbitrary Redirection Vulnerability" reported by
	  Andrew Paterson

You will have to configure the URLs you are redirecting to in the general settings in the admin area.

As usual you can download this version from our downloads page.

This is the excerpt from the changelog:

 
   2009-05-18 23:54  mmakaay
	* Logs can now be downloaded from the even viewer settings page
	  (thanks toe Joe Curia for providing the page). Logs are now
	  automatically cleaned up when the total number of logs exceeds the
	  configured maximum. This is done by mean of a garbage collector
	  that is run in 5% of the page requests.

   2009-05-15 12:21  mmakaay
	* Implemented a check to see if an unsafe attachment is downloaded
	  in MSIE6-. If this is the case, then anti-caching headers are
	  sent. This is done, because a quirck in MSIE6 (and maybe lower)
	  could interpret a file from cache, even if we send headers to
	  specifically force a download.

   2009-05-15 10:02  mmakaay
	* Updated the MIME sniffing code (for checking if a browser might
	  see a certain file as HTML code) to be more specific. This is done
	  to minimize the number of false positives that we see. For example
	  "<a" has been changed to "<a[ >]" to make it match either "<a>" or
	  "<a ".

   2009-05-12 10:51  ts77
	* added mime-type checking using fileinfo-extension

   2009-05-10 16:11  mmakaay
	* Fix for the Mime-Sniffing XSS security issue. This is a browser
	  security issue, for which this changeset implements a safety
	  measure on the server side: files that are not safe for viewing
	  (i.e. files that could be treated as HTML code, even if they are
	  uploaded as images or other file types) are not displayed in the
	  browser. Instead, for these files a download is enforced. For
	  extended information on the MIME-Sniffing issue, take a look at
	  [webblaze.cs.berkeley.edu] Thanks to
	  Jacques Copeau for noticing us about this issue.

   2009-04-22 09:12  ts77
	* additional CSRF protection in the admin. Now a new token is
	  generated when accessing the admin without a valid token in the
	  url. This token is timed out after 15 minutes and requires manual
	  click to continue.

   2009-04-21 09:19  mmakaay
	* Fix for #844: avoid the use of addslashes() for SQL escaping in
	  the Spam Hurdles module in favor of phorum_db_interact(), so other
	  database layers can be developed. Thanks to Radium Kolar for
	  noticing.

   2009-04-17 08:53  ts77
	* corrected message after posting in a moderatored forum, removing a
	  warning (fixing #845, thanks to Dready)

   2009-04-14 13:35  mmakaay
	* Fixed #843: No need to have images/* in the distro sanity check as
	  critical files, so I removed them from the file list. Thanks to
	  Mathias for the idea. While I was at it, I updated the distro
	  sanity check script to include new core distribution files in the
	  distro list.

   2009-04-13 23:03  mmakaay
	* Fix for #840: make database "charset" config parameter database
	  layer independant, by putting the check in the db layer sanity
	  check function instead of directly in the database sanity check
	  script. This makes it possible to ignore the charset configuration
	  parameter for database layers that do not require this parameter.

   2009-04-13 10:50  mmakaay
	* Fixed XSS issues from #841. Thanks to cicatriz for reporting them.

   2009-04-13 10:13  mmakaay
	* Fixed #842: make Spam Hurdles module database table name db layer
	  independent.

   2009-03-22 09:58  ts77
	* added support for custom headers to the mail functions and the
	  smtp-mail module, fixed message-id usage in smtp-mail module

   2009-03-20 11:51  mmakaay
	* Some fixes for doc generation.

   2009-03-15 11:13  ts77
	* fixed APC cache-layer (#782, thanks to hcgtv for the report)

   2009-03-14 05:01  brian
	* Added post form confirmation into message deletion process to
	  protect against CSRF attacks

   2009-03-14 01:44  ts77
	* Made allowed redirection URLs for the login a setting in general
	  settings (defaults to localhost and the phorum-url) and fixing
	  with it an "Arbitrary Redirection Vulnerability" reported by
	  Andrew Paterson

   2009-03-13 16:39  mmakaay
	* Implemented a new hook "css_filter" that can be used for
	  post-processing Phorum's CSS code (e.g. compression of the code).

   2009-03-11 01:14  mmakaay
	* Added a layer of protection against CSRF (Cross Site Request
	  Forgery) attacks. Thanks to WHK for notifying us about the
	  possible issues.

   2009-03-11 00:42  mmakaay
	* Fixed a possible XSS issue in the Spam Hurdles module. Thanks to
	  Andrew Paterson for notifying us about the issue.

   2009-03-10 00:03  mmakaay
	* Implemented a new hook "get_template_file", which can be used to
	  influence the phorum_get_template_file() function. The name of the
	  template to load can be updated (e.g. to change "index_new" to
	  "yourmod::index_new") and the template source file to use can be
	  returned (e.g. to tell Phorum that the "pm" template has to be
	  handled by a custom script named
	  "./mods/yourmod/pm_page_handler.php").

   2009-03-06 17:40  brian
	* Fixing XSS issue in control.php

   2009-02-18 17:08  ts77
	* added after_merge / after_split hooks for acting on thread
	  split/merge actions (fixing #828, thanks to so at
	  deluxe-design.at)

   2009-02-18 16:41  ts77
	* moved pm_message array out of the condition to have the data
	  available to the pm_sent hook in any case (fixing #827, thanks to
	  so at deluxe-design.at)

   2009-02-18 16:16  ts77
	* (re-)added storing the user_id for message attachments, fixing
	  #822

---

Thomas Seifert



Edited 1 time(s). Last edit at 05/22/2009 10:26AM by Thomas Seifert.