PunBB Resource

@robert.szucs --- How to correct this bugs?

Thanks MattF .... I'll try to search it and post here what i've found

Your help is appreciated koos ... Thanks a lot

Private Messaging System 1.2.4c (2009-07-02)

The Private Messaging Mod must be the most popular mod for punbb 1.2, yet the latest version still contains many bugs and some vulnerabilities. While I was working on my own modifications to this mod (to allow users to create private message folders), I encountered and fixed many of these bugs and vulnerabilities. Since I was not able to get hold of the author of this mod, I am releasing an unofficial update of this mod here.

## CHANGELOG:

## v1.2.4c   :
1. Made compatible with Fluxbb 1.4

2. Replaced all addslashes with $db->escape

3. install_mod.php script now also works in PostgreSQL and SQLite

## v1.2.4b   :
1. Use lang file for all text in message_list.php, e.g.:
<th >Delete</th>
should be:
<th><?php echo $lang_pms['Delete'] ?></th>

2. Lang correction in message_list.php:

if ($pun_user['is_guest'])
    message($lang_common['Login required']);

should be

if ($pun_user['is_guest'])
    message($lang_common['Not logged in']);

(there is no 'Login required' lang entry in /lang/[Your language]/common.php)

3. Messages header and footer links now look like this:

Index » Private Messages » Inbox
instead of:
My board title » Private Messages » Inbox
   

4. Some changes in the readme.txt install instructions.

5. Some other minor changes.

## v1.2.4a   :
1. Multiple replies of PM's causes long subject lines:
RE: RE: RE: ...

Fix:
http://www.punres.org/viewtopic.php?pid=19466#p19466

2. Flood protection bug mentioned here:
http://www.punres.org/viewtopic.php?pid=25531#p25531

Fix based on:
http://www.punres.org/viewtopic.php?pid=25533#p25533

3. Receiver message status bug mentioned here:
http://www.punres.org/viewtopic.php?pid=25530#p25530

Fix based on:
http://www.punres.org/viewtopic.php?pid=20697#p20697

4. Security fix:
http://www.punres.org/viewtopic.php?pid=25488#p25488

5.
In include/pms/header_new_messages.php

$pun_config['o_pms_messages']

should be:

$pun_config['o_pms_enabled']

6. Security fix when deleting multiple messages in message_list.php

Fix based on:
http://www.punres.org/viewtopic.php?pid=22438#p22438

Details:

Find:
        // Delete messages

Before, add:

        if (@preg_match('/[^0-9,]/', $_POST['messages']))
            message($lang_common['Bad request']);


7. Made style changes to prevent overlapping of boxes in some stylesheets
e.g. overlapping when you modify style/Oxygen.css
from:
.pun {FONT-SIZE: 11px; LINE-HEIGHT: normal}
to:
.pun {FONT-SIZE: 12px; LINE-HEIGHT: normal}

Also fixed the style issue mentioned here:
http://punbb.informer.com/forums/post/73846/#p73846


8. There is no message limit for moderators, even though one can set a limit for moderators in the amin cp. Fixed.

9. Message box status not being displayed for moderators. Fixed.

10. If message box is full, messages that you are sending can still be saved in the Sent folder when sending the message to an administrator or moderator. Fixed.

Details:
in message_send.php
replace:
if($pun_user['g_pm_limit'] != 0 && $pun_user['g_id'] > PUN_GUEST && $status > PUN_GUEST)
with:
if ($pun_user['g_pm_limit'] != 0 && $pun_user['g_id'] > PUN_ADMIN)


11. In PM admin cp:
"This is the number of messages each user is allowed in their inbox."
should be:
"This is the number of messages users in this group are allowed to store. Set to 0 to allow unlimited messages."
(messages in the 'Sent' folder are also counted, not just messages in the 'Inbox')


12. Setting a usergroup's message limit to 0 gives that usergroup unlimited storage space for messages, but the "Your inbox is full!" message is still displayed in the header. Fixed.

Details:
In header_new_messages.php, replace:
if ($pun_config['o_pms_enabled'] != 0 && $pun_user['g_id'] > PUN_ADMIN)
with:
if ($pun_config['o_pms_enabled'] != 0 && $pun_user['g_pm_limit'] != 0 && $pun_user['g_id'] > PUN_ADMIN)


13. Fixed the PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit exploit, as posted by athos at milw0rm here:
http://www.milw0rm.com/exploits/7159

Dante90 mentioned the same exploit at punbb.org here:
http://punbb.informer.com/forums/topic/ … i-exploit/

I even contacted the guy who discovered the exploit (athos) and asked him to test this update (v1.2.4) and see if the vulnerability is still present. I then got a reply back from him saying v1.2.4 fixed the exploit successfully.


14. Several other minor changes, e.g. spelling corrections, intval() instead of (int), rearrange code brackets etc.


Download Private Message Mod 1.2.4c

Upgrade instructions is included in the archive.

Last edited by Koos (2009-09-11 08:18:43)

Thanks koos for compiling all the fix on this mod... By the way do you have plans to release "private message folders mod" for this mod?
Mod within the mod...

thanks for the new mod(1.2.4a). It works on 1.2.21 for me.

Thanks a lot Koos for updating this one..

Sure, I can possibly add it in a future version of my pm folders add-on mod.

Last edited by Koos (2009-06-30 12:50:44)

Hello there,

So nice to see people doing something cause they WANT too.  I was wondering if this mod would work well with 1.4b FluxBB?  I was also wondering how when a new version of Flux or Pun comes out, how do we upgrade the actual forums and not trash everything you need to change for the pm's?  I guess there is not a one click button and the mod installs itself like some other software's out there?  Just curious.. I don't mind doing the mods.. I just don't like doing them over and over and over and over.. If I give this to my forum then I have to keep up with it.  Hmmmmmm.

You know I always wanted to know how you guys do security checking?  How do you know if something you write will open doors to hackers later.  How do you deal with exploits?

I'm currently using Private_Message_Mod-1.2.4b (big thanks to the authors, and Koos for this update) on FluxBB 1.2.21, and am about to roll it out on a legacy PunBB 1.2.11 site (I know, I need to patch it!). Here's two mod requests for possible inclusion in a future version:

1. Encrypted message contents in database
2. Popup notification of new message

I've seen a lot of requests for email notifications, not sure it's worth repeating that request smile

One of my forums is a discussion site for precious metals - some of the users won't be interested in using the PM system for discussing buy/sell trades because of the lack of perceived privacy - if message contents were encrypted in the database it would add a little overhead at save & read time, but at least they wouldn't be exposed to me as an administrator inadvertantly seeing message contents while doing database backups etc.

A notification system is also needed - I would prefer a popup, but email would work too.

It's a great mod that adds a must-have feature to PunBB & FluxBB.

<deleted> has 1.2.4b - that's FluxBB 1.2.21

Feel free to message me at that forum to test.

Last edited by bgiddins (2009-08-29 05:31:23)

bgiddins wrote:

Encrypted message contents in database

I'll see if I can put something together for you when I get a chance.

bgiddins wrote:

I've seen a lot of requests for email notifications, not sure it's worth repeating that request smile

I've recently created and add-on to this mod which gives users to option to receive pm e-mail notifications. You can download it here.

Koos wrote:

I've recently created and add-on to this mod which gives users to option to receive pm e-mail notifications. You can download it here.

Fantastic!

Thanks - that was a breeze to implement. I did notice that I receive multiple email notifications between logins, and the email text indicates only a single notification will come ("You may have additional new private messages, but this is the only notification you will receive until you visit the forum again."). Are the multiple emails a bug?

cheers

Last edited by bgiddins (2009-07-06 17:17:26)