Skip navigation

PunBB Home

Navigation

Reinventing the wheel since august 2003!

PunBB links

Recent posts

Software Informer tags

Newsletter

Subscribe to the PunBB Newsletter to receive notification of updates and other important events regarding PunBB. Your e-mail address will be kept private and will not be shared with any third party.

Subscribe/unsubscribe

News

PunBB 1.2.20

PunBB 1.2.20 and 1.3RC hotfix released today.

The XSS via the "p" GET parameter is fixed. Reported by Henry Sudhof.

The proof of concept: userlist.php?p=2<script>alert('meh');</script>

As usual, PunBB 1.3RC administrators will see an alert (as soon as they log in to the forum) and will be able to install the hotfix with several clicks.

This bug cannot be used directly in PunBB 1.2, but can appear in mods using the page number set by PunBB: check your mods for the correct page number screening.

Visit Downloads page for the PunBB 1.2.20 packages and patches. Or get the latest revision from SVN trunk.

Posted on 2008-08-20 | Comments

PunBB 1.2.19

PunBB to 1.2.19 released. This release fixes just one bug introduced in 1.2.18.

We assume most users are upgrading from PunBB version 1.2.17 or lower, so here is the
1.2.17 to 1.2.19 changelist:

  • Fixed an SMTP command injection vulnerability, discovered by Stefan Esser.
  • Fixed an XSS issue in include/parser.php, discovered by Dan Crowley.
  • Fixed issue with database returning the same user on multiple pages of the userlist, noticed by hcgtv.
  • Fixed several potential XSS vectors in moderate.php.
  • Fixed the avatars of deleted users not being removed.
  • Copyrights and punbb.informer.com links updated.
  • Docs removed.

It is strongly recommended to update your PunBB 1.2.* installations as soon as possible.

Patches and changes files for 1.2.17 to 1.2.19 (as well as 1.2.18 to 1.2.19) migration are available at Downloads page.

You are welcome to get the latest revision from SVN trunk.

Posted on 2008-07-11 | Comments

PunBB 1.3 RC official extensions

PunBB development team is glad to announce PunBB 1.3 official extensions. This is the first step to making PunBB the most featured and the best in all respects forum, keeping if fast and lightweight. Extension system effectively enables us to do that.

PunBB forum automatically checks for extensions updates periodically (optional). Special notifications are displayed in the administrator`s extensions list. In two weeks we are going to release one-click extension installation feature (directly from PunBB repository, without manual extension downloading) via forum administrator dashboard.

Here are short descriptions of the released extensions:

  • pun_hook_navigator — Provides live information about hooks and actually evaluated extension codes (for extension developers).
  • pun_attachment — Enables you to attach files to the posts.
  • pun_bbcode — Pretty buttons for easy BBCode formatting.
  • pun_e_mail_auth — Users can authorize themselves by e-mail
  • pun_quote — Select the text you want to quote right in viewtopic (via JS).
  • pun_admin_add_user — Admin can add new user via the form at the bottom of User list.
  • pun_extension_reinstaller — Do both uninstall and install extensions with one click (useful for extension developers).
  • pun_karma — Enables users to rate posts: "+" or "-".
  • pun_log — Logs PunBB events.
  • pun_poll — Adds polls feature for topics (alpha stage yet).
  • pun_topic_online_users — Displays who is reading the topic or replying to it right now.

You are welcome to visit the repository to explore the collection of official PunBB extensions and download the ones you need.

Please report bugs in 1.3 extensions talk.

More extensions will be published soon. Feel free to post extension requests in 1.3 extensions forum.

Posted on 2008-06-19 | Comments

PunBB 1.3 RC

PunBB 1.3 Release Candidate is ready to be tested by you.

Major changes since 1.3 beta:

  • All variable and constant names changed to maximize extensions portablility
  • Changed $db to $forum_db in order to make forum integration easier
  • Removed the use of unbuffered queries. The performance gains are minimal and they can cause problems that are difficult to track down
  • Removed Fulltext search
  • Removed turn_off_maintenance_mode.php in favour of a line in include/essentials.php
  • Removed LOW_PRIORITY option from queries as it does not give any advantage
  • Moved output buffering to individual files
  • Added FORUM_DISABLE_CSRF_CONFIRM, a constant which disables the CSRF token validation when defined
  • Added new bbcode preparser to check for errors before posts are saved to the db
  • Added a "priority" attribute to the hook tag in extensions. Extensions can now specify their priority for each hook, meaning that they can suggest whether their code should go first, last, or somewhere in between
  • Improved/added more database helper functions
  • Added helper functions to deal with UTF-8 strings
  • Added code to silently strip out certain "bad" characters
  • Added notifications for new versions of installed extensions (via repositories)

Please report bugs in 1.3 core talk.

Posted on 2008-06-17 | Comments