We are using HTML5 APIs. Always. Plupload is based on multi-runtime pollyfills for XMLHttpRequest L2 , File and Image APIs. So when there"s no HTML5 available in the browser, we emulate it ourselves.
mOxie (combined code-name for pollyfills) is completely standalone and available separately.
Files not only can be picked from browse dialog, but also can be dropped directly from the desktop. In some browsers, mostly in those based on WebKit, it is possible to drag and drop whole folders.
Notice: feature will not work in some legacy browsers.
Since we emulate as much of HTML5 as possible, we are able (among other things) to provide access to raw file data, even in such environments that do not normally support it. One of the biggest benefits of this is that we can display the thumbnails instantly, right as you select the images in the dialog or drag&drop them from the desktop.
In some cases you would want to upload the image only to turn it into a tiny thumbnail or avatar (like 90x90). Then why waste the bandwidth? Wouldn"t it be great if you could do it right there, on client-side, just before the actual upload? That"s exactly what we can do. This feature can be applied in a broader scope than just avatars, but that"s where it is at its best.
Files that have to be uploaded can be small or huge - about several gigabytes in size. In such cases standard upload may fail, since browsers still cannot handle it properly. We slice the files in chunks and send them out one by one. You can then safely collect them on the server and combine into original file.
As a bonus this way you can overcome a server"s constraints on uploaded file sizes, if any.
It started with just several, and now we already have tens. In order to manage them better and avoid common mistakes and typos as much as possible, we moved our internatianalization (i18n) facilities to Transifex . If you think that translation for your language can be better or your language is not in our database at all, you are welcome to contribute. We will include the translation in all consequent releases.
Features:
Is a fast and lightweight PHP-powered discussion board.
Released under the GNU General Public License.
Supports MySQL, PostgreSQL and SQLite databases.
Faster, smaller and less graphically intensive as compared to other discussion boards.
Has fewer features than many other discussion boards, but is generally faster and outputs smaller, semantically correct XHTML-compliant pages.
Very secure and has been tested for years.
Has a simple layout and design.
Easy to administrate and moderate.
Has source code you can read and understand.
Easy to modify.
A large number modifications, styles and plugins are available.
Installation and upgrade instructions
Installation and upgrade instructions can be found in the included documentation (or at the ). I have also generated a couple of patch and hdiff files to assist those upgrading from older versions. These can be found in the .
The Russian version of PunBB+ can be downloaded here. It is a slightly modified version of PunBB+ to include UTF-8 support and also includes a couple of pre-installed modifications and plugins.
- The Kurdish version of PunBB+ can be downloaded here. It is a slightly modified version of PunBB+ to include full UTF-8 support, RTL adjusted style sheets and also includes a couple of pre-installed modifications and plugins.
Administration plugins - Administration plugins can be downloaded from the PunBB downloads page.
- For RTL (Right To Left) languages such as Arabic.
- Use it to flip css files to Right to Left direction (any css file or folder).
Недавно в PunBB был найден ряд уязвимостей — PHP-инклюдинг и SQL-инъекция.
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL
команды в базе данных приложения. Удаленный авторизованный пользователь может
выполнить произвольный PHP сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки входных данных в сценарии
‘profile.php’. При включенной опции ‘register_globals’, удаленный
пользователь может выполнить произвольные SQL команды в базе данных
приложения. Существует уязвимость при обработке pun_include тегов. Удаленный пользователь
может загрузить и выполнить произвольный PHP сценарий на целевой системе.
Разработчики форумов не перестают радовать простых обывателей новыми версиями
своих продуктов, а обыватели в свою очередь ресурсами серверов простых
скрипткидди. Буквально на днях было открыто 2 новых критических бага в
популярном форуме punbb человеком по имени Stefan Esser .
И сейчас я постараюсь объяснить как это всё работает.
Для начала надо поднять права до администратора с помощью sql-injection.
Открываем в браузере страницу
http://site.ru/punbb/profile.php?id=*
сохраняем её на винт, изменяем через блокнот строчку: