The UseBB Project releases UseBB 1.0.12, a general improvement and maintenance release for the UseBB 1 light PHP 4 and MySQL forum package.
Changes since 1.0.11
- Fixed two security issues
- Enhanced security all over the system
- New topic/post reply links can now be shown to guests
- Added members/staff/guests filter on online user list
- New max topic age setting for active topics
- Removed usage of deprecated PHP functionality
Much more changes and bug fixes were made. See the Changelog for a complete list.
Vulnerability "HTB22914: Local File Inclusion in UseBB"
Recently, High-Tech Bridge SA discovered a possible issue in UseBB 1.0.11 and earlier. The issue exists in the fact that admin.php may possibly include PHP files not used for the UseBB admin control panel (ACP).
The faulty code in question is only executed for logged in administrator accounts, and can only include non-relevant PHP files if a directory "sources/admin_" exists, which is not the case in UseBB 1. Therefore, the issue does not pose a direct threat to an existing UseBB set-up, but is classified a security issue anyway and has been fixed in UseBB 1.0.12.
Vulnerability "HTB22913: Multiple CSRF (Cross-Site Request Forgery) in UseBB"
As a solution, UseBB 1.0.12 has implemented URL and form tokens for sensitive actions. Accessing or executing above URLs or scripts now doesn't have an effect on the data.
(If you developed mods, please read UseBB 1 CSRF on wiki on how to apply this yourself.)
More security enhancements
Passwords can now be composed of more characters, including symbols. The system itself will also generate these stronger passwords itself. A combination of at least letters and numbers is now required for new passwords.
Non-fatal PHP notices are now hidden on production environments, but can still be logged if desired.
It is no longer possible to use "debug mode" in level 2 on production environments. In other words, database errors will always have the usernames filtered, and the list of SQL queries is never shown.
The Admin Control Panel has added a manual and automatic logout feature, and sessions are now immediately destroyed (regardless of cleanup) when the "max session lifetime" inactivity time was reached.
Removal of deprecated PHP functionality
PHP 5.3 has made a number of PHP functionalities deprecated. This includes the magic_quotes_runtime behaviour which UseBB 1 has used since the beginning. As of UseBB 1.0.12, magic quotes are no longer used and more old code for PHP < 4.3 is removed.
In order to run 1.0.12 it is now necessary to have PHP 4.3 or later, or PHP 5. (Please note PHP 4 is officially out of support by the PHP Group, and UseBB 2 will completely abandon PHP 4 support.)
UseBB 1.0.12 can be considered a mature and stable version of UseBB 1, suitable for all websites. However, numerous forums are still using an older 1.0.x version, or even a beta 0.x one. Keeping into account all the issues and bugs fixed over time, we encourage all of these websites to upgrade to 1.0.12 as soon as possible.
Any version equal or less than 1.0.11 is now out of official support. See here for downloads. Information about upgrading is available in the docs/index.html document.