Kusaba X

"What all true warriors strive for"

Recent SVN Commits

Rev. by -

1.0 - Another update! by harrison - 04/01/13 @ 04:48 PM EDT #

Hello everyone!

It's been a long while since any news about the next version of Kusaba X has come out, so we figured it's time for an update.

In the past couple of days, we came up with a plan to get the next version under development again. It's made up of a few parts, so bear with me.

  1. Add nothing more to the current version in Git--Instead, focus on getting what we have currently to 80-90% completion
  2. Set up a developer preview and live install
  3. Get other developers involved - Edaha is completely modular (unlike Kusaba X) and will be much more extensible

If you want to take part, let us know through either IRC or posting in /c/.

As it turns out, Edaha isn't in too bad of a state. That said, the only date we can give for the developer preview is soon.

Edaha also has a GitHub Organization now. If you want to contribute via Git, check it out.

1.0 Update by Sazpaimon - 02/13/12 @ 01:28 AM EST #

Well hello everyone. I'm here to let everyone know that work on the next version of Kusaba X has NOT been abandoned. We've made some good headway recently, and I have been preparing getting a developer preview ready for public consumption. One main problem right now is simply being busy with other projects (like ones that make us money), to finish off the remaining few things. We're working on this, we promise! It's just been taking longer than expected. If you want to help us reach our goal faster, please contact me on /c/ or IRC with your E-Mail, and I promise to get back to you. Or you can check out a fresh copy of 1.0 from our SVN (or my GitHub) repository and send us patches yourself. Two major things preventing us from releasing a developer preview are: API Documentation (I'm working on this myself since I wrote the API), revamped internationalization support, and an installer. So again, please drop us a line if you're interested in helping out!

XSS Fix by Harrison - 12/13/11 @ 01:41 PM EST #

An XSS vulnerability was found in board.php that again was linked to oekaki. There won't be a new release to fix this, however you can download a replacement board.php to replace the current one here.

Also, the site search in the menu has been fixed and now works correctly. Try it out!

Kusaba X 0.9.3 released! by Sazpaimon - 07/26/11 @ 03:02 PM EDT #

Kusaba X 0.9.3 released!

Today we are releasing Kusaba X 0.9.3. While we did say that 0.9.2 would hopefully be the final release of the 0.9 series, some old bugs from years ago lingered that we decided to fix. Additionally, since Kusaba's original captcha is old and very easy to crack, we have decided to implement reCAPTCHA into the 0.9 family. This is probably the closest thing to a new feature 0.9 will ever get, so be thankful.

Also, it is worth noting that not too long ago, someone posted what appears to be an exploit affecting 0.9.2. Upon investigation, this exploit, if you can even call it that, is very minor, in that it requires admin access to pull off in the first place, and there are currently no known privilege escalation exploits in KX. Nevertheless, we have included a potential fix for this, which also fixes a bug that allows users to upload non-image files with the same name as one already posted and overwrite the original (We had actually fixed this years ago, but it somehow never made it into 0.9.1). Still, it goes without saying that you should always remember to keep your admin login safe, and only give admin access to people you know and trust.

Kusaba X 0.9.3 Full (for fresh installs)
Kusaba X 0.9.3 Upgrade (for updating from 0.9.2)

Full list of changes:
Added reCAPTCHA. Replaces default captcha for everything but replies for text boards (due to limitations of reCAPTCHA).
Updated links in README and footer files (kusabax.org->kusabax.cultnet.net).
Fixed one more rare invalid token error.
Fixed reply counts not showing up on upload boards.
Fixed broken no-read bans (Hopefully).
Fix bug where users could upload non-image files of the same name as one already posted and overwrite the original.
Removed old debugging code from manage.

Kusaba X 0.9.2 released! by Harrison - 04/27/11 @ 09:15 PM EDT #

Image previously posted

Kusaba X 0.9.2 has been released! (See update)

Update: Fixed "Invalid Token" error when trying to delete a board. redownload if you downloaded before 8:22PM EST. If you already did the full install, you can just replace manage.class.php with the one in the upgrade release.

Today we are releasing what will (hopefully) be the FINAL release in the 0.9 family. This release serves mainly as a security release, though it also fixes a few bugs.

It was brought to our attention that animation.php was vulnerable to XSS. Additionally, manage.class.php has been vulnerable to CSRF its entire life (dating back to Trevorchan!) Both issues are fixed in this release.

And I figure I might as well write an update on 1.0. It is well along in development. The main core has been rewritten to take advantage of OOP, and posting is working. If you'd like to give us a hand, talk to Sazpaimon in IRC (irc.splitnet.net #kusabax) or post in /c/ with your contact information.

Kusaba X 0.9.2 Full (for fresh installs)
Kusaba X 0.9.2 Upgrade (for updating from 0.9.1)

Fixed XSS issues in animation.php and manage.class.php (r285)
Fixed bug that resulted in multiple ban messages appearing on the last selected post when banning multiple posters at once. (r253+r255)
Oekakis with non-standard dimensions now display their animations correctly. (r244)

Kusaba X 0.9.1 Released! by Sazpaimon - 02/15/10 @ 01:19 PM EST #

Today we are releasing version 0.9.1 of Kusaba X. This is a maintenance release that fixes several bugs and issues since 0.9 was released last year, and a major security update that fixes a problem whereby an attacker can take over or potentially delete your board via the reports panel.
I repeat, this release fixes a major security flaw.

You can download the files below:

Kusaba X 0.9.1 Full (for fresh installs).
Kusaba X 0.9.1 Upgrade (for updating an already configured 0.9 install).

The Sourceforge page will be updated shortly.
Also, version 1.0 is slowly being developed. We have hit a few roadblocks in development but we are still actively working on it. If you would like to aid in developing 1.0 with us, give me (Sazpaimon) a holler on IRC (irc.splitnet.net #kusabax) or post on /c/ with any contact info for us to drop you a line.


Added missing <body> tag on the "You are banned!" page
Sanitized report reasons to prevent XSS attacks
Add escaping for Rules, FAQ, and News database entry
Fixed a couple issues with r234
Fix announcements from not being deleted.
Backported some code from trunk to fix displaying omitted posts/images in SQLite installs.
Fix a bug where load balancer enabled boards cannot delete files.
Another fix for strict MySQL installs.
Fix for an installation error with MySQL set to strict mode, specifically STRICT_TRANS_TABLES. This should fix that
Backported dwoo.php from trunk to stable to fix a rare installation error with some PHP installs.
Added some minor javascript fixes.
Removed unused variables from board.php
GetID3 used now deprecated functions like ereg and set_magic_quotes_runtime. Convert ereg to preg_match and throw an error if magic quotes are enabled on PHP >= 5.3.
ereg() is deprecated in PHP 5.3 and thus returns an E_DEPRECATED message, replaced with preg_match()
Fixed some typos and other things that completely break bans and FAQ/Rules editing on PostgreSQL (and possibly SQLite)
Fixed bug in proxyban
Fix a bug where a link would not be properly parsed if the character immediately after it isn't a space (for example, [spoiler]http://www.google.com[/spoiler])
Fixed an extremely rare bug where a tag would be partially opened on the board page due to it being cut off by the log message filter. You'll probably never have this happen anyway.
Added a div to non-text board thread templates.
Enclosed a word around {t}...{/t} in the header templates.
Removed the completely unused $tpl_irc variable from menu.class.php

0.9 has been released! by Harrison - 05/25/09 @ 02:01 AM EDT #


After numerous beta and RC released, Kusaba X 0.9 has finally been released. A lot of things have changed in 0.9, but that will be gone over later. You can download Kusaba X 0.9 Final here.

Update: A partial changelog from 0.8 to 0.9 can be found here

Kusaba X RC2 by Harrison - 05/16/09 @ 08:32 PM EDT #

RC2 of Kusaba X has been released. You can get it here.

GIRUGAMESH by Harrison - 05/01/09 @ 12:55 AM EDT #

KusabaX.org got hit with Girugamesh spam. I'm a lazy person and don't feel like fixing it right now, so I locked every board.





Updates by Harrison - 04/29/09 @ 08:25 PM EDT #

Today, the site was down for about an hour while I updated the site to the latest RC version of Kusaba X. If you encounter any errors, post them in /sup/.

Kusaba X 0.9 Release Candidate by Harrison - 04/25/09 @ 12:17 AM EDT #

Kusaba X 0.9 has been upgraded to RC status. You can find the download here.

EDIT: 7chan is down, get it here.

0.9 Beta by Harrison - 04/11/09 @ 11:33 PM EDT #

A public beta for 0.9 can be found here. Report any bugs you find in that thread, or in the /sup/ board.

Another fix. by Harrison - 01/06/09 @ 06:43 AM EST #

This is another fix for the Apache bug. Instead of renaming files, this adds .htaccess files to each /boarddir/src/. Download it, run it from your webroot (same folder as config.php), and then delete it. You can get it here.

EDIT: I'm a dumbass, clear your cache and redownload it.

Another Exploit, this time in Apache by Harrison - 01/03/09 @ 04:19 PM EST #

As you all know, while I was gone, KusabaX.org was "hacked". It wasn't due to the software though, instead, it was due to how Apache (The webserver) would handle unknown file types.

For example, if you allowed filetype XM, and your server wouldn't send the correct MIME type for that, you would be vulnerable. In the case it doesn't recognize a filetype, Apache would look for another one. So if someone uploaded, let's say, blah.php.xm, Apache would see XM, go WTF, and then go to PHP and execute it.

Anyways, now that the details are explained, you can download /inc/classes/upload.class.php here.

EDIT: Hey, it looks like Serissa is using our patch as well.

paint_save.php by harrison - 12/23/08 @ 01:06 AM EST #

As you all know, back in October I released a patch for the exploits. However, it turns out that the exploit fix has broken, and is no longer allowing files to be uploaded to /kusabaoek/. I just released a new version of the patch to fix this problem. You can get it here.

NSFW by Harrison - 12/21/08 @ 05:08 PM EST #

Alright, I just realized that I need to start cracking down on the posting of NSFW images. We use Google Adsense, so posting them can get our account deactivated. From now on, I will be deleting any NSFW images.

S2KX by Harrison - 12/14/08 @ 03:06 PM EST #

I added a script to allow people to upgrade from Serissa 1.0.5 to Kusaba X. You can get it here.

Kusaba X v0.8 Released! by Harrison - 10/15/08 @ 03:35 PM EDT #

I just added Kusaba X v0.8 to the downloads page.

Two major things: I moved the Mod link to be next to subject, to allow for modposting on Embed only boards.

If you are upgrading from Kusaba v1.0.4, you will need to backup your current config.php, upload the new files, and then edit the new config.php to work on your server.

Any errors you find go in /sup/

Kusaba X v0.8 - Download

UPDATE: If you downloaded the files before around 8:00PM EST, you will need to redownload them. I pulled a dumbass and forgot to test my last minute changes.

Release Today by HArrison - 10/15/08 @ 06:40 AM EDT #

At around 3PM EST today, I'll put the first release up for download.

Exploit Fixed! by harrison - 10/11/08 @ 03:20 PM EDT #

I just fixed the exploits that were posted here and here.

Kusaba Remote Code Execution Exploit Fix - Courtesy of Kusabax.org

Exploits by Harrison - 10/10/08 @ 04:12 PM EDT #

As you all should know by now, yesterday, 10/9/2008, two exploits were released for Kusaba 1.0.4. All current derivatives are vulnerable, including Kusaba X. I am working on a fix now, and I'm sure that the others are as well. Until then, the Oekaki board is closed due to exploits.

Kusaba X by Harrison - 10/08/08 @ 04:20 PM EDT #

I've decided to continue on with Kusaba, seeing as Trevor decided to back out on his support of Kusaba. I'm aiming for a first release either by the end of this week (10/10/08) or the middle of the month (10/15/08).

Got anything that you would like to see? Post it in Suggestions.

XHTML 1.0 Valid