This release includes fixes for 2 security-related issues reported by Julien Ahrens (from www.innogames.com). We consider these issues to be very minor and are very unlikely to be exploitable, so they have been included as part of the 1.5.8 fixes rather than as a separate patch. The issues fixed were:
Thanks again to Julien for reporting these issues to us.
- An image injection vulnerability in SWFUpload. This could allow a user to believe they were loading an image from your domain while it was being loaded from an external domain which may lead to user confusion.
- A self-XSS related to uploading an invalid attachment file with a specially crafted filename. This can only be triggered by the user uploading the file, so it would require tricking a user to upload a file using your specified filename (using characters disallowed in filenames by Windows) to exploit. (An XSS may allow an attacker to steal data or cause a user to take actions without their consent or knowledge.)
Some of the other bugs fixed in 1.5.8 include:
- Ensure message length limits are enforced in conversations.
- Clean up like counts on profile post comments when the comment is deleted or the containing profile post is deleted.
- Log IPs when a session is created from a "stay logged in" cookie.
- Fix an issue where content pasted into the rich text editor could have spaces stripped out unexpectedly.
- When an add-on is updated, make sure JS files are recached as they may have changed.
- Allow reports for posts that were in a forum that has since been deleted to be viewable.
- Only allow form textareas to be vertically resizable by default.
- Attempt to force TLSv1 with connections to PayPal when it's unclear if TLS 1.2 is supported.
- Make the meaning of certain subscription-related IPN callbacks from PayPal clearer in the transaction log.
- Allow the PayPal IPN handler to be extended by add-ons.
- Fix an issue where inserting a spoiler into the rich text editor could lose the current selection.
- Remove an unexpected scrollbar from the second (and further) lightbox created on a page.
- Fix a case where accounts imported from IPB did not authenticate properly if their password contained certain special characters.
- Respect custom BB codes disabling BB code parsing within when setting up the rich text editor.