FUDforum 2.6.12 was released on 23 March 2005. This release is no longer supported. Please upgrade to FUDforum 3.0.0 ASAP.
Here goes the first release candidate of the 2.6.12 release, this release includes a fair number of changes and improvements so much testing is needed to ensure everything is working correctly.
Small stabilization release to finalize some of the changes in the code.
Another small bug fix RC that hopefully brings us yet another step closer to the stable release.
FUDforum 2.6.12 has been released, for the most part it is the same as RC3 with a few minor fixes. Additionally this release addresses a minor security issue, details of which can be found below.
Credit for the discovery goes to Rasmus Lerdorf.
In pre-2.6.12RC1 versions of the forum the error_dialog() that is being used to log error messages stored the HTTP_HOST ($_SERVER['HTTP_HOST']) without encoding special characters and then displaying this information in the admin error log viewer control panel. (The data is being stored inside a text file, so there is no danger of SQL injection).
Technically it shouldn't be an issue since the webserver supposed to ensure that the host only contains valid characters. Alas, like many assumptions this one was wrong. On Apache 1/2 the host is not being at all validated and can contain things like HTML data and still complete a request to the primary virtual host on that IP/Server.
This means that if you are using Apache and your forum is running on a dedicated IP address or is setup as a primary virtual host for an IP then it is possible to inject HTML into the admin error log viewer control panel by putting HTML into the HOST header of the HTTP request. However, even in Apache not all characters are allowed within the header and chars such as / and many others are disallowed. Which means the type of HTML that could be injected is fairly limited.
If you don't want to upgrade the forum, then the patch to just fix the security issue is available at: http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=3353
I would like to thank Rasmus for discovering this problem and promptly notifying me of it, as well as not publicizing the issue until a fix was made available.
|FUDforum versions (* = latest stable version; + = release candidate; ? = development version)|