Anyone running a Wakaba board ought to read this.
There's a serious vulnerability in Wakaba 3.0.8 and below which let's anyone inject whatever HTML they want to in posts. This can be fixed by removing a couple of lines in the get_decoded_hashref()
and get_decoded_arrayref()
subroutines in wakaba.pl
, as shown in the included patch file. There should be no problem in making these changes.
Board moderators with no access to the board files may add /chr\([0-9]/
to spam.txt in order to fix the problem.