Phorum-5.2.15a released - SECURITY FIXES
Posted by Thomas Seifert
|
Phorum-5.2.15a released - SECURITY FIXES March 17, 2010 09:13AM |
Admin Registered: 23 years ago Posts: 9,240 |
We are happy to announce our latest stable release Phorum-5.2.15a.
It is a bug fix release over 5.2.14 fixing some issues reported (including patches, thanks folks!) and adds some hooks.
It also has some security fixes for another less important XSS where a user could "attack himself" with adding an invalid email address (thanks to Carlos Ghan for pointing out this issue), see the changelog below for details.
Therefore we urge all Phorum users to upgrade as soon as possible.
If you are upgrading from an earlier version than 5.2.14, keep these information from the 5.2.14 release announcement in mind:
You can download this new release from our downloads page.
5.2.15a has the following tiny bugfixes over 5.2.15:
This is the excerpt from the changelog:
Thomas Seifert
Edited 2 time(s). Last edit at 03/26/2010 09:06AM by Thomas Seifert.
It is a bug fix release over 5.2.14 fixing some issues reported (including patches, thanks folks!) and adds some hooks.
It also has some security fixes for another less important XSS where a user could "attack himself" with adding an invalid email address (thanks to Carlos Ghan for pointing out this issue), see the changelog below for details.
Therefore we urge all Phorum users to upgrade as soon as possible.
If you are upgrading from an earlier version than 5.2.14, keep these information from the 5.2.14 release announcement in mind:
Quote
5.2.14 Announcement
Unfortunately this release also includes 3 template fixes which you might need to port to your custom template if you got them. These are:
[trac.phorum.org] (a fix for the author's profile url in the unapproved messages panel)
[trac.phorum.org] (some fixes for the classic template, only needed you run a template derived from classic)
[trac.phorum.org] (fixes in the group membership panel so that users can actually join groups again)
You can download this new release from our downloads page.
5.2.15a has the following tiny bugfixes over 5.2.15:
2010-03-26 12:55 ts77 * fixed pm_send_init hook, thanks to Charlie Brown (in #941) 2010-03-18 12:20 mmakaay * Fix for #938: client.js.php steps on javascript Phorum object The way in which existence of the Phorum object was checked was wrong because of some legacy code in the Ajax js lib. This change should fix the issue.
This is the excerpt from the changelog:
2010-03-17 12:50 ts77
* added original message to after_edit / before_edit hooks (fixing
#803, thanks to Alexey Torkhov)
2010-03-17 12:23 ts77
* added message_id to the read hook (fixing #934, thanks to Markus
Fischer)
2010-03-16 23:16 mmakaay
* Fixed bug: when changing the password twice in a row from the
control center, the second password change triggered the CSRF
protection error ("Possible hack attempt detected. The posted form
data was rejected.")
2010-03-16 22:51 mmakaay
Various fixes for (minor) security related issues.
* Fixed the possibility of bypassing the email address validation checks and
confirmation code via email for email address changes through the
control center.
Risk: the user could change his own email address
to some fake address, because the email validation step was
skipped. (thanks to Carlos Ghan for pointing out this issue)
* XSS issue for the email address change panel in the control center
fixed. The previous fix already prevents this, because the user
can no longer inject a false email address with HTML code in it.
The email settings panel prevents that. Still, we added an extra
layer of XSS protection to the control center code.
Risk: the XSS issue was only triggered for the user himself, within his own
control center. The email address in the public user profile was
already XSS-protected. (thanks to Carlos Ghan for pointing out
this issue)
* Fixed the possibility of bypassing the original
password check when changing the password through the control
center.
Risk: this might be used by a malicious user to change the
password for a user that is logged into Phorum on a computer that
the malicious user has direct access to (e.g. a computer in a
library or internet cafe, where the user forgot to logout).
* Fixed an XSS issue in the personal file management panel in the
control center. By uploading a file with a specially crafted
filename, HTML code could be injected in the file management page.
Risk: the XSS issue was only triggered for the user himself,
within his own control center.
2010-02-26 18:48 ts77
* fixed warning on logout in rare cases (fixing #920, thanks to
Markus Fischer, Regexp provided by Brian)
2010-02-26 17:20 ts77
* added setting define for number of search paging links shown (as
requested in #932, thanks to Thomas Subera)
2010-02-22 15:57 ts77
* use the correct variable in controlcenter/summary.php to allow
overriding for module developers. fixing #928, thanks to
Azumandias
2010-02-22 15:52 ts77
* avoid trying to retrieve users with user_id 0 in read.php with
some conditionals, saving on db calls, fixing #929, thanks to
Markus Fischer
2010-02-16 19:22 brian
* Fix for issue where fast running searches could report a database
error
2010-02-16 16:01 ts77
* added force_{okmsg|error} to hook_info in control.php to allow
overriding the messages without fully overriding the panel. Thanks
to Phorum user Phil Connolly for the idea.
2010-02-12 15:36 ts77
* added json2.js json parser for decoding json (could be used for
encoding too) as requested in #923 for added security and
performance (Firefox 3.5 and IE8 should have a native JSON parser
which is API compatible with this script and therefore
automatically used), added phorum_textarea and phorum_subject
manipulation javascript into core (see #914 for the reasoning,
thanks to "mrboson")
2010-02-12 14:16 ts77
* backported phorum_api_url_no_uri_auth to allow easier generation
of URLs without uri-authentication. (patch from Markus Fischer in
#921)
2010-02-12 14:04 ts77
* added left/right bbcode tags and editor tools
2010-02-06 12:38 ts77
* fixing css caching which could lead to mixed up css-caches like
including the css_print instead of the full one. (fixing #913)
2010-02-06 12:32 ts77
* adding new hook "admin_editforum_form_save_after_defaults" as
proposed in #916, thanks to Markus Fischer. ATTENTION: not added
in trunk (aka 5.3) as the whole handling has changed there.
2010-02-06 12:25 ts77
* added new hook "feed_sent" (fixing #917, thanks to Markus Fischer)
2010-02-06 12:17 ts77
* selecting only active users for subscription notifications (fixing
#919, thanks to Markus Fischer for the patch)
2010-01-12 09:34 ts77
* update the forum status on editing if the sort order of the thread
has been changed (fixing #911)
2009-12-27 11:25 ts77
* killing some warnings when calling moderation.php without
arguments (fixing #905, thanks to Markus Fischer)
2009-12-09 14:05 ts77
* added additional "raw_data" flag to phorum_api_user_get for usage
in saving to avoid storing html escaped versions of custom profile
fields. Thanks to Joe Curia for the report.
2009-12-09 08:04 mmakaay
* Fix for correctly blocking posts to closed topics, in case the
reply message was started before the topic was closed. Thanks to
Phorum user cactux for the problem report.
2009-12-04 21:10 mmakaay
* Added a new hook "pm_before_editor" to the PM script, as requested
by Phil Connolly.
2009-11-30 09:13 mmakaay
* Required changes in templates for Spam Hurdles v2.
2009-11-30 01:41 mmakaay
* Some new hooks and a template hook to make protecting the PM
interface with Spam Hurdles (version 2) possible.
Thomas Seifert
Edited 2 time(s). Last edit at 03/26/2010 09:06AM by Thomas Seifert.
Sorry, only registered users may post in this forum.