Firefox PHP

Phorum-5.2.15a released - SECURITY FIXES

Posted by Thomas Seifert 
Phorum-5.2.15a released - SECURITY FIXES
March 17, 2010 02:13PM
We are happy to announce our latest stable release Phorum-5.2.15a.
It is a bug fix release over 5.2.14 fixing some issues reported (including patches, thanks folks!) and adds some hooks.
It also has some security fixes for another less important XSS where a user could "attack himself" with adding an invalid email address (thanks to Carlos Ghan for pointing out this issue), see the changelog below for details.

Therefore we urge all Phorum users to upgrade as soon as possible.

If you are upgrading from an earlier version than 5.2.14, keep these information from the 5.2.14 release announcement in mind:

5.2.14 Announcement
Unfortunately this release also includes 3 template fixes which you might need to port to your custom template if you got them. These are:
[] (a fix for the author's profile url in the unapproved messages panel)
[] (some fixes for the classic template, only needed you run a template derived from classic)
[] (fixes in the group membership panel so that users can actually join groups again)

You can download this new release from our downloads page.

5.2.15a has the following tiny bugfixes over 5.2.15:
   2010-03-26 12:55  ts77
	* fixed pm_send_init hook, thanks to Charlie Brown (in #941)

   2010-03-18 12:20  mmakaay
	* Fix for #938: client.js.php steps on javascript Phorum object The
	  way in which existence of the Phorum object was checked was wrong
	  because of some legacy code in the Ajax js lib. This change should
	  fix the issue.

This is the excerpt from the changelog:

   2010-03-17 12:50  ts77
	* added original message to after_edit / before_edit hooks (fixing
	  #803, thanks to Alexey Torkhov)

   2010-03-17 12:23  ts77
	* added message_id to the read hook (fixing #934, thanks to Markus

   2010-03-16 23:16  mmakaay
	* Fixed bug: when changing the password twice in a row from the
	  control center, the second password change triggered the CSRF
	  protection error ("Possible hack attempt detected. The posted form
	  data was rejected.")

   2010-03-16 22:51  mmakaay
	Various fixes for (minor) security related issues.

        * Fixed the possibility of bypassing the email address validation checks and
	  confirmation code via email for email address changes through the
	  control center.
          Risk: the user could change his own email address
	  to some fake address, because the email validation step was
	  skipped. (thanks to Carlos Ghan for pointing out this issue)

        * XSS issue for the email address change panel in the control center
	  fixed. The previous fix already prevents this, because the user
	  can no longer inject a false email address with HTML code in it.
	  The email settings panel prevents that. Still, we added an extra
	  layer of XSS protection to the control center code.
          Risk: the XSS issue was only triggered for the user himself, within his own
	  control center. The email address in the public user profile was
	  already XSS-protected. (thanks to Carlos Ghan for pointing out
	  this issue)
       * Fixed the possibility of bypassing the original
	  password check when changing the password through the control
          Risk: this might be used by a malicious user to change the
	  password for a user that is logged into Phorum on a computer that
	  the malicious user has direct access to (e.g. a computer in a
	  library or internet cafe, where the user forgot to logout).

        * Fixed an XSS issue in the personal file management panel in the
	  control center. By uploading a file with a specially crafted
	  filename, HTML code could be injected in the file management page.
	  Risk: the XSS issue was only triggered for the user himself,
	  within his own control center.

   2010-02-26 18:48  ts77
	* fixed warning on logout in rare cases (fixing #920, thanks to
	  Markus Fischer, Regexp provided by Brian)

   2010-02-26 17:20  ts77
	* added setting define for number of search paging links shown (as
	  requested in #932, thanks to Thomas Subera)

   2010-02-22 15:57  ts77
	* use the correct variable in controlcenter/summary.php to allow
	  overriding for module developers. fixing #928, thanks to

   2010-02-22 15:52  ts77
	* avoid trying to retrieve users with user_id 0 in read.php with
	  some conditionals, saving on db calls, fixing #929, thanks to
	  Markus Fischer

   2010-02-16 19:22  brian
	* Fix for issue where fast running searches could report a database

   2010-02-16 16:01  ts77
	* added force_{okmsg|error} to hook_info in control.php to allow
	  overriding the messages without fully overriding the panel. Thanks
	  to Phorum user Phil Connolly for the idea.

   2010-02-12 15:36  ts77
	* added json2.js json parser for decoding json (could be used for
	  encoding too) as requested in #923 for added security and
	  performance (Firefox 3.5 and IE8 should have a native JSON parser
	  which is API compatible with this script and therefore
	  automatically used), added phorum_textarea and phorum_subject
	  manipulation javascript into core (see #914 for the reasoning,
	  thanks to "mrboson")

   2010-02-12 14:16  ts77
	* backported phorum_api_url_no_uri_auth to allow easier generation
	  of URLs without uri-authentication. (patch from Markus Fischer in

   2010-02-12 14:04  ts77
	* added left/right bbcode tags and editor tools

   2010-02-06 12:38  ts77
	* fixing css caching which could lead to mixed up css-caches like
	  including the css_print instead of the full one. (fixing #913)

   2010-02-06 12:32  ts77
	* adding new hook "admin_editforum_form_save_after_defaults" as
	  proposed in #916, thanks to Markus Fischer. ATTENTION: not added
	  in trunk (aka 5.3) as the whole handling has changed there.

   2010-02-06 12:25  ts77
	* added new hook "feed_sent" (fixing #917, thanks to Markus Fischer)

   2010-02-06 12:17  ts77
	* selecting only active users for subscription notifications (fixing
	  #919, thanks to Markus Fischer for the patch)

   2010-01-12 09:34  ts77
	* update the forum status on editing if the sort order of the thread
	  has been changed (fixing #911)

   2009-12-27 11:25  ts77
	* killing some warnings when calling moderation.php without
	  arguments (fixing #905, thanks to Markus Fischer)

   2009-12-09 14:05  ts77
	* added additional "raw_data" flag to phorum_api_user_get for usage
	  in saving to avoid storing html escaped versions of custom profile
	  fields. Thanks to Joe Curia for the report.

   2009-12-09 08:04  mmakaay
	* Fix for correctly blocking posts to closed topics, in case the
	  reply message was started before the topic was closed. Thanks to
	  Phorum user cactux for the problem report.

   2009-12-04 21:10  mmakaay
	* Added a new hook "pm_before_editor" to the PM script, as requested
	  by Phil Connolly.

   2009-11-30 09:13  mmakaay
	* Required changes in templates for Spam Hurdles v2.

   2009-11-30 01:41  mmakaay
	* Some new hooks and a template hook to make protecting the PM
	  interface with Spam Hurdles (version 2) possible.

Thomas Seifert
Phorum Development Team /
Custom Phorum and general software development
worry-free Phorum Hosting

Edited 2 time(s). Last edit at 03/26/2010 02:06PM by Thomas Seifert.
Sorry, only registered users may post in this forum.

Click here to login