FUDforum 2.6.12

FUDforum 2.6.12 was released on 23 March 2005. This release is no longer supported. Please upgrade to FUDforum 3.0.0 ASAP.

RC1

Here goes the first release candidate of the 2.6.12 release, this release includes a fair number of changes and improvements so much testing is needed to ensure everything is working correctly.

Changes:

• Show select for limiting scope of mass e-mail in all instances.
• Big updates of the Italian translations.
• Fixed URLs in all translations.
• Always specify order for RDF output.
• Log all login failures, not just that of the admin.
• Log all password changes regardless of whether initiated by the user or the admin.
• Show topic locking link on topic listing for moderators & administrators.
• Added support for mass topic move/deletion.
• Fixed warning message on category removal.
• Fixed several notices in object access code.
• Do not enable referral tracking by default.
• Removed final bit of hard-coded HTML for quote handling.
• Removed obsolete and nonworking ICQ notifications.
• Removed the mostly pointless theme optimizer.
• Don't encode forum name twice on moderator list in profile view.
• Removed obsolete template files/section and well as no longer used translation bits.
• Better message focus code that does not alter browser's history.
• Cleanup date format on user information page.
• Fixed typo in RDF output in poll option names.
• Performance tuning in text mangling operations.
• Do not show PDF link for entire forum output unless functionality is enabled.
• Addition of support for encoded non-ascii chars inside login/alias names

RC2

Small stabilization release to finalize some of the changes in the code.

Changes:

• Move additional bits of layout logic into templates.
• Added various checks to prevent notice messages introduced by previous release (RC1).
• Include charset specification for admin control panels.
• Fixed logic of the reverse_nl2br() function.
• Better redirection when deleting a message in a multi-page topic.
• Optimize old session removal process.
• Removed some no longer used code and templates

RC3

Another small bug fix RC that hopefully brings us yet another step closer to the stable release.

Changes:

• Improved Invision Board conversion script, it now supports 1.3.X versions.
• Updated Russian translations.
• Added admin controls on search results.
• Improved search result format.
• Fixed possible query failure when marking messages as read.
• Pager fixes for PATH_INFO theme.
• Added the ability to generate a PDF archive of private messages.
• Added a script that simplifies the process of logging in a user into their FUDforum account from other applications.
• Multibyte handling for e-mails.
• Fixed hard-coded table prefix in moderation control panel.
• Fixed MySQL charset conversion in upgrade script.
• Removed small bits of hard-coded text, it is now found in the i18n files.
• Added missing subject encoding for SMTP mass e-mail code.
• Fixed parse error in the group manager introduced by RC2.
• Slight speed improvements and garbage collection.

Final

FUDforum 2.6.12 has been released, for the most part it is the same as RC3 with a few minor fixes. Additionally this release addresses a minor security issue, details of which can be found below.

Changes:

• Updated Russian translation.
• Some minor code cleanup.
• Fixed login redirection.
• Fixed splitting of a topic into a new forum.

Security Disclosure

Credit for the discovery goes to Rasmus Lerdorf.

In pre-2.6.12RC1 versions of the forum the error_dialog() that is being used to log error messages stored the HTTP_HOST ($_SERVER['HTTP_HOST']) without encoding special characters and then displaying this information in the admin error log viewer control panel. (The data is being stored inside a text file, so there is no danger of SQL injection).

Technically it shouldn't be an issue since the webserver supposed to ensure that the host only contains valid characters. Alas, like many assumptions this one was wrong. On Apache 1/2 the host is not being at all validated and can contain things like HTML data and still complete a request to the primary virtual host on that IP/Server.

This means that if you are using Apache and your forum is running on a dedicated IP address or is setup as a primary virtual host for an IP then it is possible to inject HTML into the admin error log viewer control panel by putting HTML into the HOST header of the HTTP request. However, even in Apache not all characters are allowed within the header and chars such as / and many others are disallowed. Which means the type of HTML that could be injected is fairly limited.

If you don't want to upgrade the forum, then the patch to just fix the security issue is available at: http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=3353

I would like to thank Rasmus for discovering this problem and promptly notifying me of it, as well as not publicizing the issue until a fix was made available.

External links

• Release announcement on support forum