Results 1 to 7 of 7

Thread: Heads Up: PunBB - 3/17/05

  1. #1
    Senior Member Buddha's Avatar
    Join Date
    Mar 2004
    Location
    Florida USA
    Posts
    825

    Default Heads Up: PunBB - 3/17/05

    Looks like PunBB has a hole and no patch yet.

    http://www.securityfocus.com/bid/12828/info/
    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

  2. #2
    Member bhills's Avatar
    Join Date
    Mar 2004
    Location
    Rocky Mountains
    Posts
    75

    Default

    I have punbb on another server, and it's experimental and unlikely it can be located by an attacker. But if it was a known forum and had already been spidered by the search engines, what would be the best course of action in these circumstances, before a patch comes out? To disable the board?

  3. #3
    Senior Member Buddha's Avatar
    Join Date
    Mar 2004
    Location
    Florida USA
    Posts
    825

    Default

    But if it was a known forum and had already been spidered by the search engines, what would be the best course of action in these circumstances, before a patch comes out? To disable the board?
    Well first you need to make an initial assessment of the risk this vulnerability poses to your site and to the server. Yes, you must decide if shutting down the script is warranted. Your initial assessment is the hardest because you have so little information to base it on.

    You've already made an initial assessment for your current test forum. You're not finish though. You need to constantly reconsider your initial assessment till the vulnerability is fixed.

    You do have resources to help you make good decisions: Dathorn, ask Andrew. This forum, you did that. The script's website and forum, check it often and ask questions. The Internet, search for as much information as you can find and keep updated. It's important to keep updated and reconsider your assessment as you acquire new information. Things can change quickly and information is key to staying on top of the situation.

    Share information with those that need it. Co-workers, moderators, clients, supervisors etc. Those that work on the site/server need to know there's a problem otherwise they can't help.

    Shutting down the forum may not be the only option. You might be able to disable only the part that's vulnerable till it's fixed such as the recent Avatar problem in phpBB. However, shutting it down can give you time to figure out what your options are. Time to think can be as valuable as information when it come to security.

    Usually in an emergency you don't have time to think and that is where planning comes in to play. Have a plan in place. Test the plan. Update the plan as needed. No plan is perfect but having no plan can be a disaster.

    The best course of action is to have a plan.

    I hope that helps.
    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

  4. #4
    Senior Member Jonathan's Avatar
    Join Date
    Mar 2004
    Location
    Daytona Beach, FL / Rochester, NY / Coeur d'Alene, ID
    Posts
    1,229

    Default

    Just remember- "No plan survives first contact with the enemy".
    "How can someone be so distracted yet so focused?"
    - C

  5. #5
    Senior Member Buddha's Avatar
    Join Date
    Mar 2004
    Location
    Florida USA
    Posts
    825

    Default

    Quote Originally Posted by Jonathan
    Just remember- "No plan survives first contact with the enemy".
    True, that's where "update the plan as needed" comes in.
    Last edited by Buddha; 03-18-2005 at 06:45 PM.
    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

  6. #6
    Member bhills's Avatar
    Join Date
    Mar 2004
    Location
    Rocky Mountains
    Posts
    75

    Default

    Thanks for the detailed analysis. Punbb does have an update patch now, which I applied. The info you provided gives me something to use in the future.

  7. #7
    Senior Member Buddha's Avatar
    Join Date
    Mar 2004
    Location
    Florida USA
    Posts
    825

    Default

    Yep, punBB released version 1.2.4 to patch this problem.The latest version can be found on their download page:

    http://punbb.org/downloads.php

    More than one thing fixed.

    * Fixed BBCode pre-parsing inadvertently stripping out whitespace in quotes.
    * Fixed XSS vulnerability in profile.php.
    * Fixed moving a topic when there is no forum to move to resulting in an undefined index error.
    * Fixed XHTML validation error on help page.
    * Fixed gethostbyaddr() outputting an error when the supplied IP address is invalid.
    * Fixed pun_trim() stripping out 0xCA which is a valid character in certain locales.
    * Added direct execution prevention to common_db.php.
    * Went back to mammoth e-mail validation regex.
    * Fixed move to forum drop-down containing forums that moderators should not be able to see.
    * Fixed group title dupe check not working.
    * Fixed phpinfo() in admin_index.php being available to moderators even though the link wasn't displayed.
    * Fixed possible password reset annoyance.
    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •