UseBB 1.0.10 RSS feeds security issue

Submitted by Anonymous on Sun, 08/29/2010 - 16:19
Written by

Note (9th September 2010): mentioned issue and bug below are now fixed in 1.0.11. Please install the latest version. 1.0.11 users can ignore this announcement.

Very recently, a security issue has been discovered in UseBB 1.0.10 with per forum and topic RSS feeds in combination with restricted forum access permissions.

UseBB 1.0.10 uses the "view" forum permission to enable or disable per forum and topic feeds. This way, if a forum has e.g. "view" set to guests but "read" to members, a guest gets access to the contents of the first posts through the forum feed and all the posts of a topic through its topic feed. With expected behaviour, UseBB should instead use the "read" permission setting to show or hide first posts' contents in the forum feeds and the topic feeds in their entirety.

Anyone having a restricted "read" permission set but NOT an equal or more restricted "view" one is prone to this issue and should either disable per forum/topic feeds, adjust the "view" permission to be equal to the "read" one or fix their UseBB setup.

Fixing UseBB 1.0.10 is done through uploading (overwriting) a new rss.php or applying the patch. rss.php can be found in the top directory of your UseBB setup.

UseBB 1.0.11, including more changes and bug fixes to be released after testing, will have this issue fixed as well.

For questions and support, please ask at the forums.

Apologies for any inconvenience and thank you for your understanding.

UseBB Project

PS: If you encounter PHP (5.3) errors concerning deprecated functions, this is a different (and harmless) issue that can be fixed easily too.


Mon, 09/06/2010 - 07:40

Expect UseBB 2.0 or attachments upload fuction,plug