miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
News miniBB Support Forums / News /  
 

miniBB version 2.0.5 released

 
 
Page  Page 1 of 2:  1  2  Next »

Author Paul
Lead Developer 
#1 | Posted: 24 May 2007 05:29 
The most important part of this release is (discovered by one of our users from Czech Republic) XSRF/CSRF hack protection, based on introduction of additional random "token" cookie, which is set when a member is signed in. New non-mandatory option $addMainTitle allows to display generic forums name following certain forum's or topic's title in <title> tag (by default it won't be displayed anymore).

This upgrade is highly recommended to everybody, since after initial testing, CSRF protection based on the new cookie, will be also introduced in some paid addons later next week.

Be sure your software version is safe! As usually, follow the bottom of Update History file to note the files which need to be upgraded.

Comments regarding the update are welcome as always.

Author tom322
Active Member
#2 | Posted: 25 May 2007 16:41 
So far so good - simple, but effective idea with a new cookie.

Author marsbar
Associated Member
#3 | Posted: 26 May 2007 18:13 
Hi Paul,

You may already know this: the upgrade to 2.0.5 affects admin's and pre-moderators' ability to delete topics--held in the pre-moderation queue--via the pre-moderation interface. (The error message reads: Can not proceed: possible CSRF/XSRF attack!)

Admin and pre-moderators can, however, get around the problem by quitting the pre-moderation interface and then deleting the 'pending topics' via miniBB's default (post-)moderation interface. Hope I am making sense to you! :-)

- mb

Author Paul
Lead Developer 
#4 | Posted: 28 May 2007 06:50 
marsbar
Thanks for reporting this - as I mentioned above, I will work on the plugins this week time by time and I hope you'll get the updated version ASAP (please inform me privately if you still have no access to the customers area downloads).

Author marsbar
Associated Member
#5 | Posted: 28 May 2007 07:15 
Apologies, Paul: short-sighted me must have missed the bit about updating the plugins, in your original post! (Didn't mean to rush you! :-))
Shall contact you shortly, in private, about accessing the customers area.
Best -
mb

Author Paul
Lead Developer 
#6 | Posted: 28 May 2007 10:07 
I didn't mean at all you've meant to rush me ;-)

Ok, I did a quick upgrade of the Premoderation addon and File upload addon this time (this stuff is also upgraded on minibbtest as much as the newest miniBB release is installed there).

marsbar, I've sent you the customers information, welcome to test new premoderation addon release and inform me how it works.

Thank you in advance. Other addons will be upgraded during the week; we will issue a special news notice when the whole upgrading process will be completed.

Author marsbar
Associated Member
#7 | Posted: 30 May 2007 01:41 
Paul wrote: marsbar, I've sent you the customers information, welcome to test new premoderation addon release and inform me how it works.

As always, many thanks for your prompt response, Paul.

I am happy to report that the deletion problem experienced before the upgrade (to v1.2.1) is now no more. Perfect! :-)

Cheers,
mb

Author teva
Partaker
#8 | Posted: 30 May 2007 02:10 
Hey!

I just did a clean upgrade to 2.0.5 and i also get
Can not proceed: possible CSRF/XSRF attack!

I don't have premoderation on file upload addon. Any idea how to fix this?

tnx

Author Paul
Lead Developer 
#9 | Posted: 30 May 2007 03:28 
teva
Be sure you have updated templates/main_posts.html file's JavaScript codes and functions.

Author teva
Partaker
#10 | Posted: 30 May 2007 04:40 
yep..it works now..tnx

Were there any more changes in templates dir? I have changed quite few templates and comparing with new ones would take some time. I used 2.0 RC6b before upgrading to 2.0.5

tnx

Author marsbar
Associated Member
#11 | Posted: 30 May 2007 05:29 
Teva, have a look at the miniBB update history (change log) for details.
- mb

Author Paul
Lead Developer 
#12 | Posted: 31 May 2007 05:08 
I would like to mention that the following addons were updated because of CSRF vulnerability too:

Avatars
Member Pictures
Moving Replies

Author Ivan
Advanced Member
#13 | Posted: 8 Jun 2007 07:52 
Hi Paul! :)

I, too, like Martin Luther King, have a dream. His one was about the freedom. Mine is about a Visual Special Addon for miniBB 2 :)

Do you think my dream is possible in the real world? :)))

Author Paul
Lead Developer 
#14 | Posted: 8 Jun 2007 08:20 
Yes I have it in plans, but the plans have no exact date and not exact estimate. Most probably I could work on it in 2 years or something.

Author Talbot
Partaker
#15 | Posted: 9 Jun 2007 09:36 
To be honest I'm not exactly sure what these recently discovered hacks are supposed to be doing or their nature, but do I need to replace all of minibb 2.x with 2.05 ? Or just specific sections ? As I recall certain scripts have custom code in them from me or add ons, and it's a pain to replace everything if it's just 1 or 2 scripts that are different.

I'm guessing it's just any file in the Zip that has modification date > 20th April?

Also does captcha paid add on need to be updated for 2.05 ? It wasn't mentioned here: https://www.minibb.com/forums/9_4678_0.html

thanks

Page  Page 1 of 2:  1  2  Next » 
News miniBB Support Forums / News /
 miniBB version 2.0.5 released
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Try the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑