UseBB 1.0.12 released

Submitted by Anonymous on Thu, 04/14/2011 - 16:36
Written by
Dietrich

The UseBB Project releases UseBB 1.0.12, a general improvement and maintenance release for the UseBB 1 light PHP 4 and MySQL forum package.

Changes since 1.0.11

- Fixed two security issues
- Enhanced security all over the system
- New topic/post reply links can now be shown to guests
- Added members/staff/guests filter on online user list
- New max topic age setting for active topics
- Removed usage of deprecated PHP functionality

Much more changes and bug fixes were made. See the Changelog for a complete list.

Vulnerability "HTB22914: Local File Inclusion in UseBB"

Recently, High-Tech Bridge SA discovered a possible issue in UseBB 1.0.11 and earlier. The issue exists in the fact that admin.php may possibly include PHP files not used for the UseBB admin control panel (ACP).

The faulty code in question is only executed for logged in administrator accounts, and can only include non-relevant PHP files if a directory "sources/admin_" exists, which is not the case in UseBB 1. Therefore, the issue does not pose a direct threat to an existing UseBB set-up, but is classified a security issue anyway and has been fixed in UseBB 1.0.12.

Vulnerability "HTB22913: Multiple CSRF (Cross-Site Request Forgery) in UseBB"

High-Tech Bridge SA also discovered possibilities of executing CSRF attacks in UseBB 1.0.11 and earlier. This way, when a user is given a malicious URL or visits a web page containing such URL or JavaScript, requests may be executed that add, edit or delete data on the forum, including topics, posts, account information and settings in the ACP (if the user has logged in into the ACP).

As a solution, UseBB 1.0.12 has implemented URL and form tokens for sensitive actions. Accessing or executing above URLs or scripts now doesn't have an effect on the data.

(If you developed mods, please read UseBB 1 CSRF on wiki on how to apply this yourself.)

More security enhancements

Passwords can now be composed of more characters, including symbols. The system itself will also generate these stronger passwords itself. A combination of at least letters and numbers is now required for new passwords.

Non-fatal PHP notices are now hidden on production environments, but can still be logged if desired.

It is no longer possible to use "debug mode" in level 2 on production environments. In other words, database errors will always have the usernames filtered, and the list of SQL queries is never shown.

The Admin Control Panel has added a manual and automatic logout feature, and sessions are now immediately destroyed (regardless of cleanup) when the "max session lifetime" inactivity time was reached.

Removal of deprecated PHP functionality

PHP 5.3 has made a number of PHP functionalities deprecated. This includes the magic_quotes_runtime behaviour which UseBB 1 has used since the beginning. As of UseBB 1.0.12, magic quotes are no longer used and more old code for PHP < 4.3 is removed.

In order to run 1.0.12 it is now necessary to have PHP 4.3 or later, or PHP 5. (Please note PHP 4 is officially out of support by the PHP Group, and UseBB 2 will completely abandon PHP 4 support.)

Upgrading

UseBB 1.0.12 can be considered a mature and stable version of UseBB 1, suitable for all websites. However, numerous forums are still using an older 1.0.x version, or even a beta 0.x one. Keeping into account all the issues and bugs fixed over time, we encourage all of these websites to upgrade to 1.0.12 as soon as possible.

Any version equal or less than 1.0.11 is now out of official support. See here for downloads. Information about upgrading is available in the docs/index.html document.

UseBB Project
http://www.usebb.net

Updated mine, all is well, so far.

Have 2 simple questions for you:

1. What does below mean exactly?

$conf['show_posting_links_to_guests'] = 1;

2. Is it configurable in ACP or just config.php file?

Thanks

This shows the post reply and new topic links to guests. Previously, they were hidden if guests could not post, now they can be shown and will redirect to the login form.

It can be set in the ACP in General Configuration > Layout settings > "Show new topic and post reply links to guests."

Translation changes

* lang

Added

- NotActivatedByAdmin
- PasswdInfoNew
- MemoryUsage
- MegaByteShort
- WrongUsernameEmail
- All
- Staff
- Guests
- ShowOnly
- InvalidFormTokenNotice
- InvalidURLTokenNotice

Changed

- SendpwdActivated
- PostFormShortcut

* admin

Added

- Item-logout
- IndexDevelopmentEnvironment
- ConfigBoardSection-rss
- ConfigBoard-active_topics_count-info
- ConfigBoard-active_topics_max_age
- ConfigBoard-active_topics_max_age-info
- ConfigBoard-debug-info
- ConfigBoard-return_to_topic_after_posting-info
- ConfigBoard-target_blank-info
- ConfigBoard-error_log_log_hidden
- ConfigBoard-error_log_log_hidden-info
- ConfigBoard-show_posting_links_to_guests
- ConfigBoard-show_posting_links_to_guests-info
- ConfigBoard-acp_auto_logout
- ConfigBoard-acp_auto_logout-info
- ConfigBoard-enable_dnsbl_powered_banning
- ConfigBoard-enable_dnsbl_powered_banning-info
- HTMLEnabledField
- ModulesDisabledInfo
- MembersEditingMemberCantDeleteSelf
- RegisterMembersEditMember
- DNSBLDisabled
- DNSBLDisabledInfo
- DNSBLGlobally

Changed

- ForumsAutoLockXReplies
- ModulesDisabled
- DNSBLServersInfo

Removed

- ForumsDescriptionExplain
- DNSBLEnableOpenDNSBLBan

Dietrich

This shows the post reply and new topic links to guests. Previously, they were hidden if guests could not post, now they can be shown and will redirect to the login form.

It can be set in the ACP in General Configuration > Layout settings > "Show new topic and post reply links to guests."

Saw that in ACP, guess for some reason I didn't associate whats in the config.php file with "Show new topic and post reply links to guests.".