PunBB Home

I guess the old English idiom "when it rains, it pours" applies today :) Nevertheless, I am pleased to announce the release of PunBB 1.2.14. This release addresses a few security problems, fixes a bug or two, adds a search performance tweak and adds stylesheet fixes to fully support the up-and-coming Internet Explorer 7 release. You can find all files related to the update on the downloads page.

Thanks a lot to Nms (nms@wargan.org). Never before have I received such a detailed vulnerability report :) As usual, thanks to Smartys for some of the reports. Finally, thanks to Yann for reporting the search performance tweak.

As some of you might have noticed, I didn't update the copyright notice to include the year 2006 because that would affect all scripts (the GPL preamble) and make the diff's huge. It'll be in 1.3.

Posted by Rickard on 2006-10-15 17:44 | Comments

Yesterday, I posted about the supposed "poison NULL byte vulnerability". I ranted on about how PunBB wasn't vulnerable and how I disliked the way vulnerability databases worked. Guess what? I was wrong! Through the help of a very nice editor at CVE, I was able to get in touch with the researcher behind the report and he clarified the issue for me. I had completely misunderstood what the vulnerability was about. Turns out I was wrong both on the vulnerability and in my generalization of how bad vulnerability databases work. I'm sorry for that.

So, today I have the pleasure of announcing PunBB 1.2.13. A release I've internally dubbed the "I'm a moron" release. PunBB 1.2.13 deals with the NULL byte injection vulnerability and adds support for HttpOnly cookies. The NULL byte injection is only exploitable by administrators so there's no need to rush. Nevertheless, I recommend that everyone upgrade.

Small note: If you have a look at the patch and the hdiff for this release, you'll notice there are what appears as non-existent changes in the unregister_globals() function. Nevermind these. It's just an update to get rid of some Windows style linebreaks.

Over and out.

Posted by Rickard on 2006-09-27 00:18 | Comments

Edit: After you've read this, make sure to read my fantastic follow-up :D

About two weeks ago, a security advisory titled multiple PHP application poison NULL byte vulnerability popped up on BugTraq. The advisory claimed that various PHP applications, specifically phpBB and PunBB, were vulnerable. Now I can't speak for any other application, but I can assure you that PunBB is NOT. The original author of the report probably thought PunBB was a fork of phpBB and assumed PunBB was vulnerable as well. He sure as hell can't have looked at the source code, that's for sure.

Just for fun, I decided to check out the Wikipedia entry on BugTraq. Here's a quote from that article:

Wikipedia wrote:

Bugtraq was created on November 5, 1993 by Scott Chasin in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure.

Elias Levy, aka Aleph One, noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing."

That's great, but fast-forward 13 years and we end up with this: Anyone can write up a vulnerability report on a piece of software and that information will be assumed to be correct. Not only that, the information will spread like wildfire making it impossible to "repair the damage" in case the information turns out to be false. You see, once something appears on BugTraq, a million other security databases include the report on their websites and on their mailing lists.

Now I'm fine with the "guilty until proven innocent" approach when it comes to security, but come on! Isn't there some kind of review process involved in all of this? I think us "vendors" need to have a say in this before a bogus report ends up on every security website in the world. Sure, we can reply to the BugTraq posting and dispute the report, but that has virtually no impact.

Oh well, I guess I'll go e-mail a bunch of vulnerability databases.

Posted by Rickard on 2006-09-25 22:56 | Comments

Just a quick note to announce 1.2.12. This release fixes two XSS vulnerabilities and one minor bug. Due to the security updates, I recommend that everyone update. As usual, you'll find the download on the downloads page.

Thanks to the people who alerted me via e-mail about the vulnerabilities. I'm sorry for the somewhat slow response this time.

Edit: I won't be able to announce this via the newsletter today because it turns out my ISP isn't that fond of me sending out mass e-mail. I'll write a script and run it on the server, but it'll have to wait until tomorrow.

Posted by Rickard on 2006-05-20 17:22 | Comments

Here's a short message announcing 1.2.11. This release has been made primarily to address an issue with the registration script that allowed a malicious user to perform a denial-of-service attack. PunBB 1.2.11 adds code to the registration script that prevents these flood registrations (an hour has to pass between registrations from the same IP). On top of this, an XSS vulnerability has been addressed.

For those of you not afraid to edit the scripts manually, here are the two changes:

http://dev.punbb.org/changeset/336
http://dev.punbb.org/changeset/335

Thanks to the people who alerted me via e-mail about the circulation of an "exploit" for the DoS attack.

Posted by Rickard on 2006-02-28 20:03 | Comments