PunBB Home

When I started working on PunBB some years ago, I was very proud of what I accomplished. PunBB became my "baby". When you work on something for a long time and it turns out people actually like what you've done, you try to hold on to that work and you become hesitant to let other people in. This happened to me with PunBB. I was glad to accept patches and stuff from other people, but whenever someone contacted me and asked if they could be part of the development team, I always politely declined their request.

Today, my feelings on this have changed. I don't feel comfortable taking all the credit for PunBB when I know that the work is much more of a team effort. I also realize that PunBB would benefit greatly from having more than myself, Paul and Bert at the helm. Over the last year, I've noticed how the amount of time and energy I have over to work on PunBB has decreased rapidly. I have a regular 9 to 5 day job, I freelance as a web developer and I'm working on a commercial web application (soon to be announced :D). Trying to squeeze in an hour here and there for PunBB just doesn't cut it. Don't get me wrong, I still love working on PunBB and I have every intention of keeping PunBB alive and kicking.

So, where am I going with this. Well, obviously what I'm talking about is inviting more people to work on PunBB in an official manner. We've been keeping this under wraps for a few weeks, but today I am thrilled to present to you the PunBB Development Team (in alphabetical order):

Bert Garcia (hcgtv)
Connor Dunn (Connorhd)
Frank Hagstrm (Frank H)
Kristoffer Jansson (Jansson)
Neal Poole (Smartys)
Paul Sullivan (Paul)
Rickard Andersson (Rickard)
Shawn Brown (ShawnBrown)

As you can see, the team now consists of 8 people. The reason I wanted ConnorHd, Frank H, Jansson and Smartys on the team should be obvious. These guys know the ins and outs of PunBB better than anyone and they've been active contributors since PunBB's infancy. Some of you might also recognize Shawn Brown. Shawn knows JavaScript and regular expressions better than the rest of us combined. It is possible that in the future, even more people will be invited to join the development team, but I think this will suffice for now :) Please note the word "invited". We will not be accepting requests to join the team. We spot you, not the other way around.

There's more stuff in the pipeline related to this change, but I'll have to get back to you on that in a day or two.

Now, how about a big welcome to the new warriors in the fight against bloat :)

Cheers,
Rickard

Posted by Rickard on 2006-11-17 15:12 | Comments

I guess the old English idiom "when it rains, it pours" applies today :) Nevertheless, I am pleased to announce the release of PunBB 1.2.14. This release addresses a few security problems, fixes a bug or two, adds a search performance tweak and adds stylesheet fixes to fully support the up-and-coming Internet Explorer 7 release. You can find all files related to the update on the downloads page.

Thanks a lot to Nms (nms@wargan.org). Never before have I received such a detailed vulnerability report :) As usual, thanks to Smartys for some of the reports. Finally, thanks to Yann for reporting the search performance tweak.

As some of you might have noticed, I didn't update the copyright notice to include the year 2006 because that would affect all scripts (the GPL preamble) and make the diff's huge. It'll be in 1.3.

Posted by Rickard on 2006-10-15 17:44 | Comments

Yesterday, I posted about the supposed "poison NULL byte vulnerability". I ranted on about how PunBB wasn't vulnerable and how I disliked the way vulnerability databases worked. Guess what? I was wrong! Through the help of a very nice editor at CVE, I was able to get in touch with the researcher behind the report and he clarified the issue for me. I had completely misunderstood what the vulnerability was about. Turns out I was wrong both on the vulnerability and in my generalization of how bad vulnerability databases work. I'm sorry for that.

So, today I have the pleasure of announcing PunBB 1.2.13. A release I've internally dubbed the "I'm a moron" release. PunBB 1.2.13 deals with the NULL byte injection vulnerability and adds support for HttpOnly cookies. The NULL byte injection is only exploitable by administrators so there's no need to rush. Nevertheless, I recommend that everyone upgrade.

Small note: If you have a look at the patch and the hdiff for this release, you'll notice there are what appears as non-existent changes in the unregister_globals() function. Nevermind these. It's just an update to get rid of some Windows style linebreaks.

Over and out.

Posted by Rickard on 2006-09-27 00:18 | Comments

Edit: After you've read this, make sure to read my fantastic follow-up :D

About two weeks ago, a security advisory titled multiple PHP application poison NULL byte vulnerability popped up on BugTraq. The advisory claimed that various PHP applications, specifically phpBB and PunBB, were vulnerable. Now I can't speak for any other application, but I can assure you that PunBB is NOT. The original author of the report probably thought PunBB was a fork of phpBB and assumed PunBB was vulnerable as well. He sure as hell can't have looked at the source code, that's for sure.

Just for fun, I decided to check out the Wikipedia entry on BugTraq. Here's a quote from that article:

Wikipedia wrote:

Bugtraq was created on November 5, 1993 by Scott Chasin in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure.

Elias Levy, aka Aleph One, noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing."

That's great, but fast-forward 13 years and we end up with this: Anyone can write up a vulnerability report on a piece of software and that information will be assumed to be correct. Not only that, the information will spread like wildfire making it impossible to "repair the damage" in case the information turns out to be false. You see, once something appears on BugTraq, a million other security databases include the report on their websites and on their mailing lists.

Now I'm fine with the "guilty until proven innocent" approach when it comes to security, but come on! Isn't there some kind of review process involved in all of this? I think us "vendors" need to have a say in this before a bogus report ends up on every security website in the world. Sure, we can reply to the BugTraq posting and dispute the report, but that has virtually no impact.

Oh well, I guess I'll go e-mail a bunch of vulnerability databases.

Posted by Rickard on 2006-09-25 22:56 | Comments

Just a quick note to announce 1.2.12. This release fixes two XSS vulnerabilities and one minor bug. Due to the security updates, I recommend that everyone update. As usual, you'll find the download on the downloads page.

Thanks to the people who alerted me via e-mail about the vulnerabilities. I'm sorry for the somewhat slow response this time.

Edit: I won't be able to announce this via the newsletter today because it turns out my ISP isn't that fond of me sending out mass e-mail. I'll write a script and run it on the server, but it'll have to wait until tomorrow.

Posted by Rickard on 2006-05-20 17:22 | Comments