UTF-8 CuteNews Changelog
Changes and additions to UTF-8 CuteNews
- Poor error handling of the date translation feature. Fix by FUNimations - thanks!
- Bug: Full story field disappearing in the presence of quotes fixed.
UTF-8 CuteNews 9.0 (Dec 31 2010)
- Translatable dates
- Negative categories
- Safer password encryption algorithm: SHA-256
- No reduced functionality in smiley insertion due to IE8 fix
- Password strength shown (making users more security-aware)
- New module: Additional features & settings
- Anti-spam (text or image-based) implemented
- Statistics, file checks & auto-fix
- Manage login bans
- Action log ("Hardlog")
- New anti-CSRF code, because the one in v.8b was buggy
- $_GET may not contain arrays bug fix (thanks soriya)
- "Category Exists" bug fix (thanks Sergio)
- Various small bug fixes and code clean-ups
A fix for a security flaw has been included in the UTF-8 CuteNews 8b .zip. Thanks to Stephan for reporting!
Version 8b (Nov 08 2009)
This update mainly contains a multitude of security fixes which have been mostly found by Andrew of MorningStar Security.
- Anti-CSRF tokens added in addnews, editnews, editcomments, ipban, options.
- E-mails of newly registered users hidden by default (more privacy).
- New tag in Comments template: {author-name} (commenter name without e-mail address)
- Input check in search.php
- UTF-8 bug: < and > in category icon URLs falsely replaced, fixed.
- UTF-8 bug fixed: negative numbers in date_adjust weren't accepted. (Reported by hihi92)
- Invalid source parameter can cause error messages in Edit News module, fixed.
- Editors can only edit articles they are allowed to (security hole fixed).
- Added code to suppress output by the inclusion of /data/english.clf (= user cannot login).
- CuteNews messages can be shown in multiple languages! New Languages module in Options.
- Search function understands foreign characters properly.
- Improved security for cookies & sessions.
- Internet Explorer 8 compatibility. Thanks FUNimations!
- UTF-8 CuteNews Admin panel not indexed by search engines anymore (= not findable by Google etc.)
- Login ban for password prompt in comments, too. (= no security hole)
- Multiple categories icon bug fixed.
- Search parameter "title" can have foreign characters.
- Bug: $start_from = 0; in integration wizards not recognized.
- Bug: Last login date erased upon password reset.
- Case-sensitivity bug in lost password procedure.
- E-Mails now hidden by default (= less spam).
- UTF-8 CN bug: bad characters upon password prompt in comments.
- ereg_replace() (deprecated as of PHP 5.3.0) replaced in /inc/editnews.mdu
- Syntactical PHP error in /inc/editusers.mdu removed. Thanks Mikuliz!
- Empty fields that have to be numeric in System Configurations are replaced to 0 and do not produce an error message.
- UTF-8 CuteNews bug: Double quotes (") replaced to HTML entity " in Add News, Edit News and comments (messed up HTML and BBCode code). Thanks Schafschuetzer!
- New feature: Ban IP address after too many unsuccessful logins.
- JavaScript should now work in IE8 as well. Thanks FUNimations!
- All functions which are deprecated as of PHP 5.3.0 replaced (session_register(), ereg(), eregi() and split()).
- Case-sensitivity bug: registering names possible twice.
- RSS feed now W3C-conform.
- Case-sensitivity bug: category names can be used various times with different uper- and lowercase.
- Stripslashes() only used when magic_quotes are enabled. (Fixes security flaws.)
- Foreign character support for category names.
- Titles and comments shortened (properly) in Edit News when necessary.
- 3 new input checks in /inc/editnews.mdu.
- Hole with which user could still delete/edit himself fixed.
- Case-sensitivity bug when creating a user.
- | not filtered properly in /inc/editusers.mdu: desynchronizes database.
- Query string input checks (disables potential hacking attempts; disables easy PHP error message generation).
- Bug in send_mail() (/inc/functions.inc.php) fixed.
- Advanced error handling when auto-archive is performed.
- /inc/install.mdu: input checks, character support for nickname, effective file check
- Look-up option for ban entries containing a wildcard (*) removed (doesn't work)
- Additional "Date expects parameter 2 to be long" PHP error message fixed in /inc/main.mdu
- Bug fixed: Auto-archive notitification never disappears.
- /inc/options.mdu: Input checks, code cleanup, bug: call for Error.gif instead of error.gif (twice), [delete template] link not shown for RSS template
- Foreign character support for the RSS feed title.
- Input checks in /inc/wizards.mdu
- $PHP_SELF bug: Reference to index.php despite different $PHP_SELF. (Files affected: index.php; register.php; /inc/: main.mdu, tools.mdu, wizards.mdu.) Thanks Yuriy.
- getenv() replaced with $_SERVER (IIS does not support getenv()) in /inc/shows.inc.php.
- Wordwrap did not function properly. (/inc/shows.inc.php and /inc/functions.inc.php)
- /inc/options.mdu:
- Bug: Commenter could not save personal options.
- No menu items which commenter cannot access.
- HTML cleanup.
- Bug: Call for Error.gif instead of error.gif
- HTML cleanup in /inc/install.mdu
- /inc/editusers.mdu: Admin cannot change own permission level anymore. (= More security.)
- /inc/help.mdu: Input not "XSS" vulnerable
- /inc/editusers.mdu
- UTF-8 CN bug: password was required when editing a user
- UTF-8 CN bug: error message, despite successful code
- /inc/tools.mdu
- Input filter (CuteNews core files could be deleted!)
- Input which creates error messages now blocked
- /inc/wizards.mdu: Smarter input filters in news integration
- example2.php: Smaller in filesize, tidied up HTML
- /inc/main.mdu: UTF-8 CN bug: Footer not shown when news disabled
- More input filters (= more secure)
- Foreign characters allowed in nickname
- Admin cannot accidentally delete himself
- Various grammar problems
- Fixed mail notifications (characters display properly now)
- More UTF-8 checks. (Halts script if cannot process input)
- Potential XSS flaw fixed.
- Bug fix: Newlines now preserved after disabling WYSIWYG editor.
- Potential security flaws fixed.
- More user input checks (if e-mail address is correct, etc.)
- <br> automatically changed to <br /> in WYSIWYG.
- Possible require() error fixed.
- Halts script if data is not sent under UTF-8 (= no blank posts).
- Bug fix: Quotes were replaced with their entities when using WYSIWYG editor. Thanks to Justi & Maismeel from the CutePHP forums for reporting!
- Edit News: Yet another instance where the symbol | was being replaced to I.