Heads Up: PunBB - 3/17/05

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Buddha
    Senior Member
    • Mar 2004
    • 825

    Heads Up: PunBB - 3/17/05

    Looks like PunBB has a hole and no patch yet.

    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha
  • bhills
    Member
    • Mar 2004
    • 75

    #2
    I have punbb on another server, and it's experimental and unlikely it can be located by an attacker. But if it was a known forum and had already been spidered by the search engines, what would be the best course of action in these circumstances, before a patch comes out? To disable the board?

    Comment

    • Buddha
      Senior Member
      • Mar 2004
      • 825

      #3
      But if it was a known forum and had already been spidered by the search engines, what would be the best course of action in these circumstances, before a patch comes out? To disable the board?
      Well first you need to make an initial assessment of the risk this vulnerability poses to your site and to the server. Yes, you must decide if shutting down the script is warranted. Your initial assessment is the hardest because you have so little information to base it on.

      You've already made an initial assessment for your current test forum. You're not finish though. You need to constantly reconsider your initial assessment till the vulnerability is fixed.

      You do have resources to help you make good decisions: Dathorn, ask Andrew. This forum, you did that. The script's website and forum, check it often and ask questions. The Internet, search for as much information as you can find and keep updated. It's important to keep updated and reconsider your assessment as you acquire new information. Things can change quickly and information is key to staying on top of the situation.

      Share information with those that need it. Co-workers, moderators, clients, supervisors etc. Those that work on the site/server need to know there's a problem otherwise they can't help.

      Shutting down the forum may not be the only option. You might be able to disable only the part that's vulnerable till it's fixed such as the recent Avatar problem in phpBB. However, shutting it down can give you time to figure out what your options are. Time to think can be as valuable as information when it come to security.

      Usually in an emergency you don't have time to think and that is where planning comes in to play. Have a plan in place. Test the plan. Update the plan as needed. No plan is perfect but having no plan can be a disaster.

      The best course of action is to have a plan.

      I hope that helps.
      "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

      Comment

      • Jonathan
        Senior Member
        • Mar 2004
        • 1229

        #4
        Just remember- "No plan survives first contact with the enemy".
        "How can someone be so distracted yet so focused?"
        - C

        Comment

        • Buddha
          Senior Member
          • Mar 2004
          • 825

          #5
          Originally posted by Jonathan
          Just remember- "No plan survives first contact with the enemy".
          True, that's where "update the plan as needed" comes in.
          Last edited by Buddha; 03-18-2005, 06:45 PM.
          "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

          Comment

          • bhills
            Member
            • Mar 2004
            • 75

            #6
            Thanks for the detailed analysis. Punbb does have an update patch now, which I applied. The info you provided gives me something to use in the future.

            Comment

            • Buddha
              Senior Member
              • Mar 2004
              • 825

              #7
              Yep, punBB released version 1.2.4 to patch this problem.The latest version can be found on their download page:



              More than one thing fixed.

              * Fixed BBCode pre-parsing inadvertently stripping out whitespace in quotes.
              * Fixed XSS vulnerability in profile.php.
              * Fixed moving a topic when there is no forum to move to resulting in an undefined index error.
              * Fixed XHTML validation error on help page.
              * Fixed gethostbyaddr() outputting an error when the supplied IP address is invalid.
              * Fixed pun_trim() stripping out 0xCA which is a valid character in certain locales.
              * Added direct execution prevention to common_db.php.
              * Went back to mammoth e-mail validation regex.
              * Fixed move to forum drop-down containing forums that moderators should not be able to see.
              * Fixed group title dupe check not working.
              * Fixed phpinfo() in admin_index.php being available to moderators even though the link wasn't displayed.
              * Fixed possible password reset annoyance.
              "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

              Comment

              Working...