but 0.9.0.7 appears to simply be a copy of the final 0.9 branch

browse http://bbpress.trac.wordpress.org/browser/branches/0.9

zip http://bbpress.trac.wordpress.org/changeset/3730/branches/0.9?old_path=%2F&format=zip

svn co http://svn.automattic.com/bbpress/branches/0.9/

From what I can tell, JJJ just copied the branch over to make "0.9.0.7"

http://bbpress.trac.wordpress.org/changeset/3517
http://bbpress.trac.wordpress.org/changeset/3535
http://bbpress.trac.wordpress.org/log/tags/0.9.0.7/bb-includes?rev=3535

That's all he did, there were no other changes, improvements or fixes.

But there really are some fixes in the final 0.9 branch over 0.9.0.6

There were 12 files changed from 0.9.0.6 to 0.9.0.7 (aka 0.9 branch)

http://bbpress.trac.wordpress.org/changeset?old_path=%2Ftags%2F0.9.0.6&old=2338+&new_path=%2Ftags%2F0.9.0.7&new=3715

bb-includes/default-filters.php (1 diff)
bb-includes/wp-functions.php (2 diffs)
bb-includes/pluggable.php (1 diff)
bb-includes/functions.php (3 diffs)
bb-includes/registration-functions.php (1 diff)
bb-includes/template-functions.php (3 diffs)
bb-includes/compat.php (1 diff)
search.php (1 diff)
bb-plugins/akismet.php (4 diffs)
bb-admin/bb-do-counts.php (3 diffs)
bb-admin/admin.php (1 diff)
bb-admin/admin-functions.php (2 diffs)

It's hard to be 100% positive but I am pretty sure they addressed the base64 decoding bug.

Those with 0.9.0.6 can replace just these files to upgrade to 0.9.0.7
http://bbpress.trac.wordpress.org/changeset?format=zip&new=3715&old=2338&new_path=%2Ftags%2F0.9.0.7&old_path=%2Ftags%2F0.9.0.6
(those running versions before 0.9.0.6 will need more files from a fuller upgrade, do not use just the above files as it will break your install)

Everyone should still use my mini-plugin to protect bbpress and wordpress for yet-unidentified security issues. It's better than nothing. You can even remove the header and just copy the one IF block to your bb-config.php and wp-config.php

If 256 characters turns out to be too short of a URL restriction, some may need to raise it as high as 1024, for example in WordPress where it stupidly uses GET now to mass delete posts, which was a dumbfounding move on their part.

<?php
/*
Plugin Name: Block Long/Bad Queries (for bbPress and WordPress)
*/

if (strlen($_SERVER['REQUEST_URI'])>1024 ||
preg_match('@(eval|base64|unescape)[^a-zA-Z0-9]@si',$_SERVER['REQUEST_URI']))
{
	header('HTTP/1.1 414 Request-URI Too Long');
	header('Status: 414 Request-URI Too Long');
	header('Connection: Close');
	exit;
}

I have 0.9.0.7 installed.

I just saw _ck_'s post here about a security patch plugin: http://bbpress.org/forums/topic/bbpress-103-released#post-84690

Ten months ago, _ck_ wrote,

"bbPress 0.9 users should install my unofficial "block-long-queries" mini-plugin to avoid the security bug that 1.0.3 fixes and similar unknown attacks in the future.
(it also works in 1.0 and WordPress)"

Since it seems like 0.9.0.7 came out five months later, I am wondering if this new release covers the patch or if it is still needed.

Note that I searched extensively for a post about the 0.9.0.7 release and the changes it represented, but I can't see anything like that.

Also, I can't ask in the original thread because it was closed.

Thanks!

- What options are available to keep our Spam and other spurious sign-ups? How can I protect my integrated WP user database?

Thanks!

So turning off PHP responses will do for now.

<Limit GET POST">
order deny,allow
deny from all
</Limit>

Why don't you add those .htaccess files in the repository. They will ensure security and they will not hurt on other servers than apache.

It's not a super-serious security bug in itself but it can be used to gain leverage.

Basically someone can discover the real path your files are in by causing a PHP error by trying to access a template file directly, where there is an error in the template because bbPress is not loaded at that time.

Here is a simple workaround for users on Apache (vast majority of users).

Make a file called .htaccess (note the dot at the start)

in it, put this line

php_flag display_errors off

Then upload that file to bb-templates and my-templates

The reason why we don't put that in the master .htaccess file for all of bbPress is because you may need to see any regular errors in the future. However for the template subdirectories, there is no need because those files are never (supposed to be) loaded directly by the browser.

1.1 will see a release candidate soon.

There was no announcement for 1.0.3 because when I tagged it, it required a new tag of BackPress and BuddyPress needed to be changed too. With 1.1 and the plugin coming soon, it just never got an official announcement.

On a more personal note, my resources and bandwidth are spread between several projects at the moment, so switching contexts quickly is something I'm adjusting more to. An announcement about 1.0.3 will happen when an RC for 1.1 goes out, which should be in the next few days.

Do you mean that 1.0.3 only contains the security fix applied on 1.0.2?

http://trac.bbpress.org/changeset/2930

However it's easy to test.

Checkout a copy from the trunk, then do a "switch" to tag/1.0.3 and see what files (if any are changed).

The SVN itself may disclose more details but let's see what happens...

ah no, I forgot the trunk is actually 1.1

Yeah 1.0.3 is a branch from 1.0.2, not the trunk.

If a fix wasn't committed to the 1.0 branch, it won't be in 1.0.3

But you can always use the trunk for 1.1 preview

http://seclists.org/fulldisclosure/2011/Mar/155

I suspect it was not enough time but there never is.

Note that my "block-long-queries" mini-plugin will protect you from this kind of attack and other yet unknown ones via the URL (GET requests)

http://bbpress.org/forums/topic/bbpress-103-released#post-84690

It will work in both bbPress and WordPress

There is really no reason to allow URIs to be longer than 255 characters but apache will allow up to 4000 by default which can carry a massive payload. I have seen some wordpress installs that need that limit bumped up to 320 or even 512, something about the akismet plugin needs very long URIs for some bad reason.

I need to update "check-for-updates" though.

(you'll only need to update bb-attachments-init.php)

Sometimes it's frustrating for users like me to get information about bbPress developments. I'd expect news to be posted here on the forum. Then there's bbpdevel.wordpress.com, but that hasn't been updated since September. I'm sure there's info in IRC logs too. It seems there are many places for information to be posted, and it's not always the place I expect it.

Anyway, I really do appreciate the information, and I'm looking forward to 1.1 (and also an update to the 0.9 branch).

If you can't wait for a public release, download the trunk and do some testing. :)

And the greatest things in life just aren't free.

That said, I do believe the bbPress WordPress plugin will get an easy intergration eventually.

wordpress will use one theme and bbpress as a plugin will need its own theme.

@devs
dont read my comments as destructive but i feel as a user the need to voice my opinion, as a user i dont have the "god like" ability to master css/php or port my wordpress theme to a bbpress theme, its like you're creating a forum plugin and making it difficult to use or integrate visually with wordpress...a forum plugin only for the "code masters". try and go the simple:press or mingle forum way or have that possibility.

I share many of your concerns. I too have stumbled onto the Mingle Forum plug-in.

I have it installed along with the Mingle plug-in. This turns a WordPress site into a BuddyPress-like site with an extremely short learning curve. I had both installed, tweaked on the code to remove a couple of links that I didn't want, modified the CSS to make a near perfect style match to my theme, and understood how to configure administrate the forum in about 3 hours.

I am not a code monkey and cannot compare the pros and cons of how Mingle Forums stacks up against the bbPress plug-in or any other solutions. The security vulnerability has also been resoled to my satisfaction.

Before I implement a solution I am more concerned with its support and sustainability. Both plug-ins have have over 50,000 downloads and the Mingle Forum plug-in was last updated 20 days ago. I had one problem/question with the installation and it was answered by the plug-in's author within hours. Within the last 5 days the Mingle Forum's author has posted 5 videos instructional videos on YouTube (http://www.youtube.com/user/cartpauj). All indications are that this project is alive and well.

I am going to go live with it this week and plan to use it until another plug-in solution, which is better, becomes available.

Packages/Versions Affected: Confirmed on 1.0.24 and 1.0.26

the plugin is at version 1.0.28 see changelog here
http://wordpress.org/extend/plugins/mingle-forum/changelog/

why did you give a link saying the vulnerabilities were fixed when you were implying the opposite?

01/07/2011 Plugin maintainer releases update that addresses these
vulnerabilities.

whoever uses older bbpress versions also have that problem

http://vanillaforums.com/blog/news/vanilla-wordpress-plugins-and-widgets/

Today while browsing an "drupal7 vs joomla 1.6" article i found a forum plugin for wordpress:

The Mingle Forum Plugin
http://cartpauj.com/projects/mingle-forum-plugin/

no need to ftp files, you can install it from within wordpress plugin page, no need for extra themes, it can use whatever theme wordpress uses, international localization/languages etc etc

@bbpress devs: in my opinion you're overcomplicating something that should be "easy as 1,2,3" in bbpress (theme integration), you're "integrating" not the opposite, lots and lots of people voiced their problems with complicated integrations or deep integration, why insist on having separate thmes for something that "uses" wordpress that itself already uses a theme. Make it simple.

REQUIREMENTS:
PHP 5.x
WordPress 3.0 or newer

FEATURES:

* NEW! SEO Friendly URLs
* NEW! Forum sitemap (../wp-content/plugins/mingle-forum/sitemap.php)
* NEW! Adsense areas
* Media embedding into forum posts (like Youtube, Flickr, Photobucket…)
* WordPress 3.0 ready!
* Categories with sub-forums
* User Groups
* User Levels (EX: Newbie, Beginner, Pro…)
* Private Messages – Forum integrates seamlessly with my Cartpauj PM Plugin (Requires Cartpauj PM vs. 1.0.09 or greater)
* Moderators
* Skins
* Captcha
* BB Code
* Smilies
* Custom Forum Search
* Guest posts (See Mingle Forum Guest Info add-on by wpweaver)
* Hot/Very Hot topics
* Sticky (Pinned) Topics
* Move, Edit, Remove and Close topics
* Forum RSS Feeds
* Email notifications on replies to topics
* Recent posts widget (or PHP shortcode for your theme)
* Integrates nicely with most themes (It’s tough to make it work for all themes so some skin modifications may be required for your site)
* Allow/Dis-allow other users to view your profile from the Forum
* Supports different languages
* Integrates with the Mingle Plugin (by Blair Williams) NOTE: The “Mingle” plugin is NOT required for forum to work
o Avatars
o Profile’s (Works with/without Pretty Profile URLs enabled in Mingle settings)
o Activity in the forum shows up as activity in mingle (Helps increase discussion in both your forums and your SN)
o Deleted forum topics will also delete the corresponding Mingle board post

Screenshots
http://www.flickr.com/photos/ricardouk/sets/72157625882755704/