PunBB developer Rickard has released a security update to address a few issues (v1.2.12). On May 5th "o.y.6" discovered a vulnerability in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks. It seems that due to mailing-list issues this release has not been announced properly. Be sure to UPDATE!
This release fixes two XSS vulnerabilities and one minor bug.
The News Posting
Just a quick note to announce 1.2.12. This release fixes two XSS vulnerabilities and one minor bug. Due to the security updates, I recommend that everyone update. As usual, you'll find the download on the downloads page.
Thanks to the people who alerted me via e-mail about the vulnerabilities. I'm sorry for the somewhat slow response this time.
One of the Vulnerability
o.y.6 has discovered a vulnerability in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "redirect_url" parameter in "misc.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability has been confirmed in version 1.2.11. Other versions may also be affected.
