UTF-8 CuteNews Changelog

Changes and additions to UTF-8 CuteNews

UTF-8 CuteNews 9.0.1 (Feb 24 2011)
  • Poor error handling of the date translation feature. Fix by FUNimations - thanks!
  • Bug: Full story field disappearing in the presence of quotes fixed.
A big thank-you to the users who reported these issues!

UTF-8 CuteNews 9.0 (Dec 31 2010)
  • Translatable dates
  • Negative categories
  • Safer password encryption algorithm: SHA-256
  • No reduced functionality in smiley insertion due to IE8 fix
  • Password strength shown (making users more security-aware)
  • New module: Additional features & settings
    • Anti-spam (text or image-based) implemented
    • Statistics, file checks & auto-fix
    • Manage login bans
    • Action log ("Hardlog")
  • New anti-CSRF code, because the one in v.8b was buggy
  • $_GET may not contain arrays bug fix (thanks soriya)
  • "Category Exists" bug fix (thanks Sergio)
  • Various small bug fixes and code clean-ups
Version 8b (Mar 13 2010)
A fix for a security flaw has been included in the UTF-8 CuteNews 8b .zip. Thanks to Stephan for reporting!

Version 8b (Nov 08 2009)
This update mainly contains a multitude of security fixes which have been mostly found by Andrew of MorningStar Security.
  • Anti-CSRF tokens added in addnews, editnews, editcomments, ipban, options.
  • E-mails of newly registered users hidden by default (more privacy).
  • New tag in Comments template: {author-name} (commenter name without e-mail address)
  • Input check in search.php
  • UTF-8 bug: < and > in category icon URLs falsely replaced, fixed.
  • UTF-8 bug fixed: negative numbers in date_adjust weren't accepted. (Reported by hihi92)
  • Invalid source parameter can cause error messages in Edit News module, fixed.
  • Editors can only edit articles they are allowed to (security hole fixed).
Version 8 (Oct 02 2009)
  • Added code to suppress output by the inclusion of /data/english.clf (= user cannot login).
Version 8 (Sep 26 2009)
  • CuteNews messages can be shown in multiple languages! New Languages module in Options.
  • Search function understands foreign characters properly.
  • Improved security for cookies & sessions.
  • Internet Explorer 8 compatibility. Thanks FUNimations!
  • UTF-8 CuteNews Admin panel not indexed by search engines anymore (= not findable by Google etc.)
  • Login ban for password prompt in comments, too. (= no security hole)
  • Multiple categories icon bug fixed.
  • Search parameter "title" can have foreign characters.
  • Bug: $start_from = 0; in integration wizards not recognized.
  • Bug: Last login date erased upon password reset.
  • Case-sensitivity bug in lost password procedure.
  • E-Mails now hidden by default (= less spam).
  • UTF-8 CN bug: bad characters upon password prompt in comments.
  • ereg_replace() (deprecated as of PHP 5.3.0) replaced in /inc/editnews.mdu
Version 7 (4) (Aug 21 2009)
  • Syntactical PHP error in /inc/editusers.mdu removed. Thanks Mikuliz!
Version 7 (3) (Aug 20 2009)
  • Empty fields that have to be numeric in System Configurations are replaced to 0 and do not produce an error message.
Version 7 (2) (Aug 19 2009)
  • UTF-8 CuteNews bug: Double quotes (") replaced to HTML entity &#34; in Add News, Edit News and comments (messed up HTML and BBCode code). Thanks Schafschuetzer!
Version 7 (Aug 15 2009)
  • New feature: Ban IP address after too many unsuccessful logins.
  • JavaScript should now work in IE8 as well. Thanks FUNimations!
  • All functions which are deprecated as of PHP 5.3.0 replaced (session_register(), ereg(), eregi() and split()).
  • Case-sensitivity bug: registering names possible twice.
  • RSS feed now W3C-conform.
  • Case-sensitivity bug: category names can be used various times with different uper- and lowercase.
  • Stripslashes() only used when magic_quotes are enabled. (Fixes security flaws.)
  • Foreign character support for category names.
  • Titles and comments shortened (properly) in Edit News when necessary.
  • 3 new input checks in /inc/editnews.mdu.
  • Hole with which user could still delete/edit himself fixed.
  • Case-sensitivity bug when creating a user.
  • | not filtered properly in /inc/editusers.mdu: desynchronizes database.
  • Query string input checks (disables potential hacking attempts; disables easy PHP error message generation).
  • Bug in send_mail() (/inc/functions.inc.php) fixed.
  • Advanced error handling when auto-archive is performed.
  • /inc/install.mdu: input checks, character support for nickname, effective file check
  • Look-up option for ban entries containing a wildcard (*) removed (doesn't work)
  • Additional "Date expects parameter 2 to be long" PHP error message fixed in /inc/main.mdu
  • Bug fixed: Auto-archive notitification never disappears.
  • /inc/options.mdu: Input checks, code cleanup, bug: call for Error.gif instead of error.gif (twice), [delete template] link not shown for RSS template
  • Foreign character support for the RSS feed title.
  • Input checks in /inc/wizards.mdu
Version 6 (Jun 27 2009)
  • $PHP_SELF bug: Reference to index.php despite different $PHP_SELF. (Files affected: index.php; register.php; /inc/: main.mdu, tools.mdu, wizards.mdu.) Thanks Yuriy.
  • getenv() replaced with $_SERVER (IIS does not support getenv()) in /inc/shows.inc.php.
  • Wordwrap did not function properly. (/inc/shows.inc.php and /inc/functions.inc.php)
  • /inc/options.mdu:
    • Bug: Commenter could not save personal options.
    • No menu items which commenter cannot access.
    • HTML cleanup.
    • Bug: Call for Error.gif instead of error.gif
  • HTML cleanup in /inc/install.mdu
  • /inc/editusers.mdu: Admin cannot change own permission level anymore. (= More security.)
Version 5 (May 09 2009)
  • /inc/help.mdu: Input not "XSS" vulnerable
  • /inc/editusers.mdu
    • UTF-8 CN bug: password was required when editing a user
    • UTF-8 CN bug: error message, despite successful code
  • /inc/tools.mdu
    • Input filter (CuteNews core files could be deleted!)
    • Input which creates error messages now blocked
  • /inc/wizards.mdu: Smarter input filters in news integration
  • example2.php: Smaller in filesize, tidied up HTML
  • /inc/main.mdu: UTF-8 CN bug: Footer not shown when news disabled
Version 4 (Apr 15 2009)
  • More input filters (= more secure)
  • Foreign characters allowed in nickname
  • Admin cannot accidentally delete himself
  • Various grammar problems
  • Fixed mail notifications (characters display properly now)
  • More UTF-8 checks. (Halts script if cannot process input)
  • Potential XSS flaw fixed.
Version 3 (Mar 28 2009)
  • Bug fix: Newlines now preserved after disabling WYSIWYG editor.
  • Potential security flaws fixed.
  • More user input checks (if e-mail address is correct, etc.)
  • <br> automatically changed to <br /> in WYSIWYG.
  • Possible require() error fixed.
  • Halts script if data is not sent under UTF-8 (= no blank posts).
Version 2 (Mar 12 2009)
  • Bug fix: Quotes were replaced with their entities when using WYSIWYG editor. Thanks to Justi & Maismeel from the CutePHP forums for reporting!
  • Edit News: Yet another instance where the symbol | was being replaced to I.