Firefox PHP

Phorum-5.2.12a released - SECURITY FIX

Posted by Thomas Seifert 
Phorum-5.2.12a released - SECURITY FIX
July 22, 2009 08:31AM
This release has the regular fixes and improvements and also has a security fix for another obscure XSS with CSS expressions in size and color BBCode tags (thanks to Paolo Pinto for reporting these).

Therefore we urge all Phorum users to upgrade as soon as possible.

As usual you can download this version from our downloads page.

Edit: We did a quick bugfix round after the release, prompting 5.2.12a ...
This is the excerpt from the changelog for 5.2.12a:
   2009-07-22 17:54  ts77
	* fixed event logging download issue (fixing #862, thanks to Markus
	  Fischer)

   2009-07-22 17:44  mmakaay
	* Fixed #858: we now use a more forgiving match algorithm for
	  determining the running MySQL server version.

   2009-07-22 17:21  mmakaay
	* Fixed #863: Prevent a PHP NOTICE in when running a CLI script.
	  Thanks to Markus for the problem report.



This is the excerpt from the changelog for 5.2.12:
   2009-07-22 11:58  ts77
	* added code to have the admin stylesheet external with a hook to
	  override the url (closing #860, though I don't see it as a final
	  solution yet with its relative image urls).

   2009-07-22 11:49  ts77
	* add E_USER_ERROR to error reporting in admin (fixing #859, thanks
	  to Markus Fischer)

   2009-07-20 11:46  ts77
	* Preliminary fix for XSS in size and color bbcode tags. Thanks to
	  Paolo Pinto from SYSDREAM

   2009-07-04 00:38  mmakaay
	* Work-around when there is no "&" in the php.ini
	  arg_separator.input option. It that happens, then PHP won't
	  correctly fill the $_GET array. E.g. "arg1=val1&arg2=val2" will
	  end up as array('arg1' => 'val1&arg2=val2').

   2009-07-03 11:45  mmakaay
	* A fix for hosting providers that manage to provide a SCRIPT_URI
	  that does not contain the actually requested HTTP_HOST, probably
	  due to some mass virtual hosting rewrite rules.

   2009-07-01 10:35  mmakaay
	* Fixed #853: A bbcode tag like [url=http://www.phorum.org \] (note
	  the space in front of the "]" character) caused the bbcode
	  formatting to trip. Thanks to Serdar for the bug report!

   2009-07-01 09:05  mmakaay
	* The event logging module is now used for logging blocked form
	  posts. Also, a bugfix was done on the iscramble code. In some
	  cases, there were duplicate id's in use for the blocks that hold
	  the scrambled js code, causing the js md5 signing feature to fail.

   2009-06-30 14:49  mmakaay
	* Fixed the forum picker list for the advanced search page in a
	  vroot environment. Before this change, the list of searchable
	  forums was empty.

   2009-06-09 06:22  brian
	* Added hook to allow overriding of the maximum upload file size.

   2009-05-29 17:29  mmakaay
	* Fixed a permission checking issue for the file.php script. Read
	  access for the forum in which the file is stored was not correctly
	  checked. Thanks to Phorum user "FF" for finding the bug.


Thomas Seifert



Edited 2 time(s). Last edit at 07/22/2009 02:04PM by Thomas Seifert.
rfc
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 10:38AM
I don't see it mentioned here explicitely, but the c extension has been removed entirely.
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 10:53AM
Yes, you are right. The extension has been removed from the package. From the changelog:

"Removed the PHP Phorum extension. It is hard to maintain this parallel C-code, reverse threading did not yet work at all and changes in the core code have made URL generation a lot friendlier already, by using URL templates instead of separate phorum_get_url() calls for those cases where a lot of URLs had to be generated."

Besides this, there was another incompatibility that caused the extension to fail in some cases. Maybe the extension will return in the future, but for now we decided to remove it.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
rfc
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 11:26AM
Is this CHANGELOG available somewhere online? Thanks
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 11:35AM
that remark was actually added to the changelog for trunk (aka 5.3) which is available at
[www.phorum.org]
The one for the stable tree is
[www.phorum.org]

(both contain the whole history, not only for that release)


Thomas Seifert



Edited 1 time(s). Last edit at 07/22/2009 11:35AM by Thomas Seifert.
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 11:36AM
In Trac you have access to all changes. It can be found under the menu item "DEVELOPMENT".

5.2 tree changelog


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
rfc
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 12:31PM
Quote
Thomas Seifert
   2009-07-04 00:38  mmakaay
	* Work-around when there is no "&" in the php.ini
	  arg_separator.input option. It that happens, then PHP won't
	  correctly fill the $_GET array. E.g. "arg1=val1&arg2=val2" will
	  end up as array('arg1' => 'val1&arg2=val2').


I think this change causes a NOTICE when using from a non-webserver sapi, e.g. cli, see [trac.phorum.org] .
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 01:23PM
I think that changeset 4424 should fix the issue.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Phorum-5.2.12 released - SECURITY FIX
July 22, 2009 02:05PM
This change was included in the quickly pushed 5.2.12a.


Thomas Seifert
rfc
Re: Phorum-5.2.12a released - SECURITY FIX
July 24, 2009 08:27AM
Just realized that "Prune Messages" doesn't work anymore, gives a Fatal Error, see [trac.phorum.org] .
Re: Phorum-5.2.12a released - SECURITY FIX
July 25, 2009 06:05AM
posting in the bugtracker is enough, we read it there already ;-).


Thomas Seifert
rfc
Re: Phorum-5.2.12a released - SECURITY FIX
July 25, 2009 06:27AM
Ok, sure, sorry about that!
Sorry, only registered users may post in this forum.

Click here to login