[UseBB-Announce] UseBB 1.0.12 released

[UseBB P. <co...@us...>]

The UseBB Project releases UseBB 1.0.12, a general improvement and
maintenance release for the UseBB 1 light PHP 4 and MySQL forum
package.

* Changes since 1.0.11

  - Fixed two security issues
  - Enhanced security all over the system
  - New topic/post reply links can now be shown to guests
  - Added members/staff/guests filter on online user list
  - New max topic age setting for active topics
  - Removed usage of deprecated PHP functionality

Much more changes and bug fixes were made. See the Changelog for a
complete list.

* Vulnerability "HTB22914: Local File Inclusion in UseBB"

Recently, High-Tech Bridge SA discovered a possible issue in UseBB
1.0.11 and earlier. The issue exists in the fact that admin.php may
possibly include PHP files not used for the UseBB admin control panel
(ACP).

The faulty code in question is only executed for logged in
administrator accounts, and can only include non-relevant PHP files if
a directory "sources/admin_" exists, which is not the case in UseBB 1.
Therefore, the issue does not pose a direct threat to an existing
UseBB set-up, but is classified a security issue anyway and has been
fixed in UseBB 1.0.12.

* Vulnerability "HTB22913: Multiple CSRF (Cross-Site Request Forgery) in UseBB"

High-Tech Bridge SA also discovered possibilities of executing CSRF
attacks in UseBB 1.0.11 and earlier. This way, when a user is given a
malicious URL or visits a web page containing such URL or JavaScript,
requests may be executed that add, edit or delete data on the forum,
including topics, posts, account information and settings in the ACP
(if the user has logged in into the ACP).

As a solution, UseBB 1.0.12 has implemented URL and form tokens for
sensitive actions. Accessing or executing above URLs or scripts now
doesn't have an effect on the data.

(If you developed mods, please read
http://sourceforge.net/apps/trac/usebb/wiki/UseBB1CSRF on how to apply
this yourself.)

* More security enhancements

Passwords can now be composed of more characters, including symbols.
The system itself will also generate these stronger passwords itself.
A combination of at least letters and numbers is now required for new
passwords.

Non-fatal PHP notices are now hidden on production environments, but
can still be logged if desired.

It is no longer possible to use "debug mode" in level 2 on production
environments. In other words, database errors will always have the
usernames filtered, and the list of SQL queries is never shown.

The Admin Control Panel has added a manual and automatic logout
feature, and sessions are now immediately destroyed (regardless of
cleanup) when the "max session lifetime" inactivity time was reached.

* Removal of deprecated PHP functionality

PHP 5.3 has made a number of PHP functionalities deprecated. This
includes the magic_quotes_runtime behaviour which UseBB 1 has used
since the beginning. As of UseBB 1.0.12, magic quotes are no longer
used and more old code for PHP < 4.3 is removed.

In order to run 1.0.12 it is now necessary to have PHP 4.3 or later,
or PHP 5. (Please note PHP 4 is officially out of support by the PHP
Group, and UseBB 2 will completely abandon PHP 4 support.)

* Upgrading

UseBB 1.0.12 can be considered a mature and stable version of UseBB 1,
suitable for all websites. However, numerous forums are still using an
older 1.0.x version, or even a beta 0.x one. Keeping into account all
the issues and bugs fixed over time, we encourage all of these
websites to upgrade to 1.0.12 as soon as possible.

Any version equal or less than 1.0.11 is now out of official support.
Visit http://www.usebb.net/downloads/ for downloads. Information about
upgrading is available in the docs/index.html document.

UseBB Project
http://www.usebb.net