The UseBB Team is happy to announce version 1.0.6 of the light and Open Source PHP/MySQL bulletin board package "UseBB".
Version 1.0.6 is a minor security and bug fix release. Changes include but are not limited to:
- fixed a full path disclosure vulnerability;
- fixed a bug that posed problems when setting certain time zones;
- fixed more bugs in the SQL Toolbox and ACP Modules panes of the ACP.
Upgrading is highly recommended. Visit http://www.usebb.net/downloads/ for downloads. Information about upgrading is available in the docs/index.html document.
The discovered security vulnerability (full path disclosure) only occurs on PHP setups with register_globals enabled and certain GET or POST variables passed to the system, resulting into an error containing the script's full path on the web server. This vulnerability itself cannot be exploited directly, but the disclosed information may be abused by people with system access.
Thanks to Jesper Jurcenoks of netVigilance, Inc. for reporting this. Their security advisory can be found at http://www.netvigilance.com/advisory0016.