[UseBB-Announce] UseBB 1.0.10 RSS feeds security issue
Light and Free PHP Forum Software
Brought to you by:
pc_freak
Menu
▾
▴
[UseBB-Announce] UseBB 1.0.10 RSS feeds security issue
|
From: UseBB P. <co...@us...> - 2010-08-29 14:22:36
|
Very recently, a security issue has been discovered in UseBB 1.0.10 with per forum and topic RSS feeds in combination with restricted forum access permissions. UseBB 1.0.10 uses the "view" forum permission to enable or disable per forum and topic feeds. This way, if a forum has e.g. "view" set to guests but "read" to members, a guest gets access to the contents of the first posts through the forum feed and all the posts of a topic through its topic feed. With expected behaviour, UseBB should instead use the "read" permission setting to show or hide first posts' contents in the forum feeds and the topic feeds in their entirety. Anyone having a restricted "read" permission set but NOT an equal or more restricted "view" one is prone to this issue and should either disable per forum/topic feeds, adjust the "view" permission to be equal to the "read" one or fix their UseBB setup. Fixing UseBB 1.0.10 is done through uploading (overwriting) a new rss.php or applying the patch. rss.php can be found in the top directory of your UseBB setup. * New rss.php: http://usebb.cvs.sourceforge.net/viewvc/usebb/UseBB/rss.php?revision=1.20 * Patch file: http://usebb.cvs.sourceforge.net/viewvc/usebb/UseBB/rss.php?r1=1.18&r2=1.20&view=patch UseBB 1.0.11, including more changes and bug fixes to be released after testing, will have this issue fixed as well. For questions and support, please ask at http://www.usebb.net/community/. Apologies for any inconvenience and thank you for your understanding. UseBB Project http://www.usebb.net PS: If you encounter PHP (5.3) errors concerning deprecated functions, this is a different (and harmless) issue that can be fixed easily too: http://www.usebb.net/community/topic-post9792.html#post9792. |
