diff -urN punbb-1.2.6/upload/admin_bans.php punbb-1.2.14/upload/admin_bans.php
--- punbb-1.2.6/upload/admin_bans.php	Thu Jul  7 19:31:54 2005
+++ punbb-1.2.14/upload/admin_bans.php	Sat Oct 14 18:40:30 2006
@@ -192,6 +192,8 @@
 
 	if ($ban_user == '' && $ban_ip == '' && $ban_email == '')
 		message('You must enter either a username, an IP address or an e-mail address (at least).');
+	else if (strtolower($ban_user) == 'guest')
+		message('The guest user cannot be banned.');
 
 	// Validate IP/IP range (it's overkill, I know)
 	if ($ban_ip != '')
diff -urN punbb-1.2.6/upload/admin_forums.php punbb-1.2.14/upload/admin_forums.php
--- punbb-1.2.6/upload/admin_forums.php	Sun Apr  3 20:48:30 2005
+++ punbb-1.2.14/upload/admin_forums.php	Sun Oct 15 18:27:14 2006
@@ -140,7 +140,7 @@
 		if (!preg_match('#^\d+$#', $disp_position))
 			message('Position must be a positive integer value.');
 
-		$db->query('UPDATE '.$db->prefix.'forums SET disp_position='.$disp_position.' WHERE id='.$forum_id) or error('Unable to update forum', __FILE__, __LINE__, $db->error());
+		$db->query('UPDATE '.$db->prefix.'forums SET disp_position='.$disp_position.' WHERE id='.intval($forum_id)) or error('Unable to update forum', __FILE__, __LINE__, $db->error());
 	}
 
 	// Regenerate the quickjump cache
@@ -186,9 +186,9 @@
 			$result = $db->query('SELECT g_id, g_read_board, g_post_replies, g_post_topics FROM '.$db->prefix.'groups WHERE g_id!='.PUN_ADMIN) or error('Unable to fetch user group list', __FILE__, __LINE__, $db->error());
 			while ($cur_group = $db->fetch_assoc($result))
 			{
-				$read_forum_new = ($cur_group['g_read_board'] == '1') ? isset($_POST['read_forum_new'][$cur_group['g_id']]) ? $_POST['read_forum_new'][$cur_group['g_id']] : '0' : $_POST['read_forum_old'][$cur_group['g_id']];
-				$post_replies_new = isset($_POST['post_replies_new'][$cur_group['g_id']]) ? $_POST['post_replies_new'][$cur_group['g_id']] : '0';
-				$post_topics_new = isset($_POST['post_topics_new'][$cur_group['g_id']]) ? $_POST['post_topics_new'][$cur_group['g_id']] : '0';
+				$read_forum_new = ($cur_group['g_read_board'] == '1') ? isset($_POST['read_forum_new'][$cur_group['g_id']]) ? '1' : '0' : intval($_POST['read_forum_old'][$cur_group['g_id']]);
+				$post_replies_new = isset($_POST['post_replies_new'][$cur_group['g_id']]) ? '1' : '0';
+				$post_topics_new = isset($_POST['post_topics_new'][$cur_group['g_id']]) ? '1' : '0';
 
 				// Check if the new settings differ from the old
 				if ($read_forum_new != $_POST['read_forum_old'][$cur_group['g_id']] || $post_replies_new != $_POST['post_replies_old'][$cur_group['g_id']] || $post_topics_new != $_POST['post_topics_old'][$cur_group['g_id']])
diff -urN punbb-1.2.6/upload/admin_groups.php punbb-1.2.14/upload/admin_groups.php
--- punbb-1.2.6/upload/admin_groups.php	Thu Jul  7 19:31:54 2005
+++ punbb-1.2.14/upload/admin_groups.php	Sat Oct 14 18:41:54 2006
@@ -243,11 +243,11 @@
 	}
 	else
 	{
-		$result = $db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\' AND g_id!='.$_POST['group_id']) or error('Unable to check group title collision', __FILE__, __LINE__, $db->error());
+		$result = $db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\' AND g_id!='.intval($_POST['group_id'])) or error('Unable to check group title collision', __FILE__, __LINE__, $db->error());
 		if ($db->num_rows($result))
 			message('There is already a group with the title \''.pun_htmlspecialchars($title).'\'.');
 
-		$db->query('UPDATE '.$db->prefix.'groups SET g_title=\''.$db->escape($title).'\', g_user_title='.$user_title.', g_read_board='.$read_board.', g_post_replies='.$post_replies.', g_post_topics='.$post_topics.', g_edit_posts='.$edit_posts.', g_delete_posts='.$delete_posts.', g_delete_topics='.$delete_topics.', g_set_title='.$set_title.', g_search='.$search.', g_search_users='.$search_users.', g_edit_subjects_interval='.$edit_subjects_interval.', g_post_flood='.$post_flood.', g_search_flood='.$search_flood.' WHERE g_id='.$_POST['group_id']) or error('Unable to update group', __FILE__, __LINE__, $db->error());
+		$db->query('UPDATE '.$db->prefix.'groups SET g_title=\''.$db->escape($title).'\', g_user_title='.$user_title.', g_read_board='.$read_board.', g_post_replies='.$post_replies.', g_post_topics='.$post_topics.', g_edit_posts='.$edit_posts.', g_delete_posts='.$delete_posts.', g_delete_topics='.$delete_topics.', g_set_title='.$set_title.', g_search='.$search.', g_search_users='.$search_users.', g_edit_subjects_interval='.$edit_subjects_interval.', g_post_flood='.$post_flood.', g_search_flood='.$search_flood.' WHERE g_id='.intval($_POST['group_id'])) or error('Unable to update group', __FILE__, __LINE__, $db->error());
 	}
 
 	// Regenerate the quickjump cache
@@ -264,7 +264,7 @@
 	confirm_referrer('admin_groups.php');
 
 	$group_id = intval($_POST['default_group']);
-	if ($group_id < 1)
+	if ($group_id < 4)
 		message($lang_common['Bad request']);
 
 	$db->query('UPDATE '.$db->prefix.'config SET conf_value='.$group_id.' WHERE conf_name=\'o_default_user_group\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error());
diff -urN punbb-1.2.6/upload/admin_index.php punbb-1.2.14/upload/admin_index.php
--- punbb-1.2.6/upload/admin_index.php	Sun Mar 20 20:13:24 2005
+++ punbb-1.2.14/upload/admin_index.php	Fri Sep  2 16:03:20 2005
@@ -86,7 +86,7 @@
 	$load_averages = @explode(' ', $load_averages);
 	$server_load = isset($load_averages[2]) ? $load_averages[0].' '.$load_averages[1].' '.$load_averages[2] : 'Not available';
 }
-else if (preg_match('/averages?: ([0-9\.]+),[\s]+([0-9\.]+),[\s]+([0-9\.]+)/i', @exec('uptime'), $load_averages))
+else if (!in_array(PHP_OS, array('WINNT', 'WIN32')) && preg_match('/averages?: ([0-9\.]+),[\s]+([0-9\.]+),[\s]+([0-9\.]+)/i', @exec('uptime'), $load_averages))
 	$server_load = $load_averages[1].' '.$load_averages[2].' '.$load_averages[3];
 else
 	$server_load = 'Not available';
diff -urN punbb-1.2.6/upload/admin_options.php punbb-1.2.14/upload/admin_options.php
--- punbb-1.2.6/upload/admin_options.php	Thu Jul  7 19:31:54 2005
+++ punbb-1.2.14/upload/admin_options.php	Sun Oct 15 18:31:20 2006
@@ -46,6 +46,9 @@
 	if ($form['board_title'] == '')
 		message('You must enter a board title.');
 
+	// Clean default_lang
+	$form['default_lang'] = preg_replace('#[\.\\\/]#', '', $form['default_lang']);
+
 	require PUN_ROOT.'include/email.php';
 
 	$form['admin_email'] = strtolower($form['admin_email']);
@@ -63,6 +66,9 @@
 	if (substr($form['base_url'], -1) == '/')
 		$form['base_url'] = substr($form['base_url'], 0, -1);
 
+	// Clean avatars_dir
+	$form['avatars_dir'] = str_replace("\0", '', $form['avatars_dir']);
+
 	// Make sure avatars_dir doesn't end with a slash
 	if (substr($form['avatars_dir'], -1) == '/')
 		$form['avatars_dir'] = substr($form['avatars_dir'], 0, -1);
@@ -117,7 +123,7 @@
 	while (list($key, $input) = @each($form))
 	{
 		// Only update values that have changed
-		if (isset($pun_config['o_'.$key]) && $pun_config['o_'.$key] != $input)
+		if (array_key_exists('o_'.$key, $pun_config) && $pun_config['o_'.$key] != $input)
 		{
 			if ($input != '' || is_int($input))
 				$value = '\''.$db->escape($input).'\'';
diff -urN punbb-1.2.6/upload/admin_permissions.php punbb-1.2.14/upload/admin_permissions.php
--- punbb-1.2.6/upload/admin_permissions.php	Thu Jul  7 19:31:54 2005
+++ punbb-1.2.14/upload/admin_permissions.php	Fri Sep  2 01:36:12 2005
@@ -39,23 +39,13 @@
 {
 	confirm_referrer('admin_permissions.php');
 
-	$form = array_map('trim', $_POST['form']);
-
-	$form['sig_length'] = intval($form['sig_length']);
-	$form['sig_lines'] = intval($form['sig_lines']);
+	$form = array_map('intval', $_POST['form']);
 
 	while (list($key, $input) = @each($form))
 	{
 		// Only update values that have changed
-		if (isset($pun_config['p_'.$key]) && $pun_config['p_'.$key] != $input)
-		{
-			if ($input != '' || is_int($input))
-				$value = '\''.$db->escape($input).'\'';
-			else
-				$value = 'NULL';
-
-			$db->query('UPDATE '.$db->prefix.'config SET conf_value='.$value.' WHERE conf_name=\'p_'.$key.'\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error());
-		}
+		if (array_key_exists('p_'.$key, $pun_config) && $pun_config['p_'.$key] != $input)
+			$db->query('UPDATE '.$db->prefix.'config SET conf_value='.$input.' WHERE conf_name=\'p_'.$db->escape($key).'\'') or error('Unable to update board config', __FILE__, __LINE__, $db->error());
 	}
 
 	// Regenerate the config cache
diff -urN punbb-1.2.6/upload/admin_users.php punbb-1.2.14/upload/admin_users.php
--- punbb-1.2.6/upload/admin_users.php	Thu Jul  7 19:31:54 2005
+++ punbb-1.2.14/upload/admin_users.php	Sun Oct 15 18:27:14 2006
@@ -217,6 +217,7 @@
 
 	// trim() all elements in $form
 	$form = array_map('trim', $form);
+	$conditions = array();
 
 	$posts_greater = trim($_POST['posts_greater']);
 	$posts_less = trim($_POST['posts_less']);
@@ -256,7 +257,7 @@
 	$like_command = ($db_type == 'pgsql') ? 'ILIKE' : 'LIKE';
 	while (list($key, $input) = @each($form))
 	{
-		if ($input != '')
+		if ($input != '' && in_array($key, array('username', 'email', 'title', 'realname', 'url', 'jabber', 'icq', 'msn', 'aim', 'yahoo', 'location', 'signature', 'admin_note')))
 			$conditions[] = 'u.'.$db->escape($key).' '.$like_command.' \''.$db->escape(str_replace('*', '%', $input)).'\'';
 	}
 
@@ -266,9 +267,9 @@
 		$conditions[] = 'u.num_posts<'.$posts_less;
 
 	if ($user_group != 'all')
-		$conditions[] = 'u.group_id='.$db->escape($user_group);
+		$conditions[] = 'u.group_id='.intval($user_group);
 
-	if (!isset($conditions))
+	if (empty($conditions))
 		message('You didn\'t enter any search terms.');
 
 
diff -urN punbb-1.2.6/upload/edit.php punbb-1.2.14/upload/edit.php
--- punbb-1.2.6/upload/edit.php	Tue Jan 11 21:41:14 2005
+++ punbb-1.2.14/upload/edit.php	Fri Sep  2 16:05:32 2005
@@ -175,7 +175,7 @@
 else if (isset($_POST['preview']))
 {
 	require_once PUN_ROOT.'include/parser.php';
-	$message = parse_message(trim($_POST['req_message']), $hide_smilies);
+	$preview_message = parse_message($message, $hide_smilies);
 
 ?>
 <div id="postpreview" class="blockpost">
@@ -184,7 +184,7 @@
 		<div class="inbox">
 			<div class="postright">
 				<div class="postmsg">
-					<?php echo $message."\n" ?>
+					<?php echo $preview_message."\n" ?>
 				</div>
 			</div>
 		</div>
@@ -208,7 +208,7 @@
 <?php if ($can_edit_subject): ?>						<label><?php echo $lang_common['Subject'] ?><br />
 						<input class="longinput" type="text" name="req_subject" size="80" maxlength="70" tabindex="<?php echo $cur_index++ ?>" value="<?php echo pun_htmlspecialchars(isset($_POST['req_subject']) ? $_POST['req_subject'] : $cur_post['subject']) ?>" /><br /></label>
 <?php endif; ?>						<label><?php echo $lang_common['Message'] ?><br />
-						<textarea name="req_message" rows="20" cols="95" tabindex="<?php echo $cur_index++ ?>"><?php echo pun_htmlspecialchars(isset($_POST['req_message']) ? $_POST['req_message'] : $cur_post['message']) ?></textarea><br /></label>
+						<textarea name="req_message" rows="20" cols="95" tabindex="<?php echo $cur_index++ ?>"><?php echo pun_htmlspecialchars(isset($_POST['req_message']) ? $message : $cur_post['message']) ?></textarea><br /></label>
 						<ul class="bblinks">
 							<li><a href="help.php#bbcode" onclick="window.open(this.href); return false;"><?php echo $lang_common['BBCode'] ?></a>: <?php echo ($pun_config['p_message_bbcode'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
 							<li><a href="help.php#img" onclick="window.open(this.href); return false;"><?php echo $lang_common['img tag'] ?></a>: <?php echo ($pun_config['p_message_img_tag'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
diff -urN punbb-1.2.6/upload/extern.php punbb-1.2.14/upload/extern.php
--- punbb-1.2.6/upload/extern.php	Thu Jul  7 21:36:06 2005
+++ punbb-1.2.14/upload/extern.php	Wed Jul 27 23:25:16 2005
@@ -116,8 +116,8 @@
 	exit('The file \'config.php\' doesn\'t exist or is corrupt. Please run install.php to install PunBB first.');
 
 
-// Disable error reporting for uninitialized variables
-error_reporting(E_ALL);
+// Make sure PHP reports all errors except E_NOTICE
+error_reporting(E_ALL ^ E_NOTICE);
 
 // Turn off magic_quotes_runtime
 set_magic_quotes_runtime(0);
diff -urN punbb-1.2.6/upload/header.php punbb-1.2.14/upload/header.php
--- punbb-1.2.6/upload/header.php	Thu Jul  7 18:48:00 2005
+++ punbb-1.2.14/upload/header.php	Tue Feb 28 20:20:28 2006
@@ -131,7 +131,7 @@
 
 
 // START SUBST - <pun_page>
-$tpl_main = str_replace('<pun_page>', basename($_SERVER['PHP_SELF'], '.php'), $tpl_main);
+$tpl_main = str_replace('<pun_page>', htmlspecialchars(basename($_SERVER['PHP_SELF'], '.php')), $tpl_main);
 // END SUBST - <pun_title>
 
 
diff -urN punbb-1.2.6/upload/include/common.php punbb-1.2.14/upload/include/common.php
--- punbb-1.2.6/upload/include/common.php	Thu Jul  7 19:38:16 2005
+++ punbb-1.2.14/upload/include/common.php	Tue Nov  1 01:06:56 2005
@@ -32,6 +32,15 @@
 if (!defined('PUN_ROOT'))
 	exit('The constant PUN_ROOT must be defined and point to a valid PunBB installation root directory.');
 
+
+// Load the functions script
+require PUN_ROOT.'include/functions.php';
+
+// Reverse the effect of register_globals
+if (@ini_get('register_globals'))
+	unregister_globals();
+
+
 @include PUN_ROOT.'config.php';
 
 // If PUN isn't defined, config.php is missing or corrupt
@@ -76,9 +85,6 @@
 define('PUN_GUEST', 3);
 define('PUN_MEMBER', 4);
 
-
-// Load the functions script
-require PUN_ROOT.'include/functions.php';
 
 // Load DB abstraction layer and connect
 require PUN_ROOT.'include/dblayer/common_db.php';
diff -urN punbb-1.2.6/upload/include/email.php punbb-1.2.14/upload/include/email.php
--- punbb-1.2.6/upload/include/email.php	Thu Apr  7 21:41:16 2005
+++ punbb-1.2.14/upload/include/email.php	Thu Sep 22 00:35:06 2005
@@ -75,15 +75,7 @@
 	$subject = trim(preg_replace('#[\n\r]+#s', '', $subject));
 	$from = trim(preg_replace('#[\n\r:]+#s', '', $from));
 
-	// Detect what linebreak we should use for the headers
-	if (strtoupper(substr(PHP_OS, 0, 3) == 'WIN'))
-		$eol = "\r\n";
-	else if (strtoupper(substr(PHP_OS, 0, 3) == 'MAC'))
-		$eol = "\r";
-	else
-		$eol = "\n";
-
-	$headers = 'From: '.$from.$eol.'Date: '.date('r').$eol.'MIME-Version: 1.0'.$eol.'Content-transfer-encoding: 8bit'.$eol.'Content-type: text/plain; charset='.$lang_common['lang_encoding'].$eol.'X-Mailer: PunBB Mailer';
+	$headers = 'From: '.$from."\r\n".'Date: '.date('r')."\r\n".'MIME-Version: 1.0'."\r\n".'Content-transfer-encoding: 8bit'."\r\n".'Content-type: text/plain; charset='.$lang_common['lang_encoding']."\r\n".'X-Mailer: PunBB Mailer';
 
 	// Make sure all linebreaks are CRLF in message
 	$message = str_replace("\n", "\r\n", pun_linebreaks($message));
@@ -91,7 +83,15 @@
 	if ($pun_config['o_smtp_host'] != '')
 		smtp_mail($to, $subject, $message, $headers);
 	else
+	{
+		// Change the linebreaks used in the headers according to OS
+		if (strtoupper(substr(PHP_OS, 0, 3)) == 'MAC')
+			$headers = str_replace("\r\n", "\r", $headers);
+		else if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN')
+			$headers = str_replace("\r\n", "\n", $headers);
+
 		mail($to, $subject, $message, $headers);
+	}
 }
 
 
diff -urN punbb-1.2.6/upload/include/functions.php punbb-1.2.14/upload/include/functions.php
--- punbb-1.2.6/upload/include/functions.php	Fri Jul  8 20:10:57 2005
+++ punbb-1.2.14/upload/include/functions.php	Sun Oct 15 18:36:14 2006
@@ -138,7 +138,10 @@
 	// Enable sending of a P3P header by removing // from the following line (try this if login is failing in IE6)
 //	@header('P3P: CP="CUR ADM"');
 
-	setcookie($cookie_name, serialize(array($user_id, md5($cookie_seed.$password_hash))), $expire, $cookie_path, $cookie_domain, $cookie_secure);
+	if (version_compare(PHP_VERSION, '5.2.0', '>='))
+		setcookie($cookie_name, serialize(array($user_id, md5($cookie_seed.$password_hash))), $expire, $cookie_path, $cookie_domain, $cookie_secure, true);
+	else
+		setcookie($cookie_name, serialize(array($user_id, md5($cookie_seed.$password_hash))), $expire, $cookie_path.'; HttpOnly', $cookie_domain, $cookie_secure);
 }
 
 
@@ -168,7 +171,10 @@
 		}
 
 		if ($cur_ban['username'] != '' && !strcasecmp($pun_user['username'], $cur_ban['username']))
+		{
+			$db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape($pun_user['username']).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
 			message($lang_common['Ban message'].' '.(($cur_ban['expire'] != '') ? $lang_common['Ban message 2'].' '.strtolower(format_time($cur_ban['expire'], true)).'. ' : '').(($cur_ban['message'] != '') ? $lang_common['Ban message 3'].'<br /><br /><strong>'.pun_htmlspecialchars($cur_ban['message']).'</strong><br /><br />' : '<br /><br />').$lang_common['Ban message 4'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.', true);
+		}
 
 		if ($cur_ban['ip'] != '')
 		{
@@ -179,7 +185,10 @@
 				$cur_ban_ips[$i] = $cur_ban_ips[$i].'.';
 
 				if (substr($user_ip, 0, strlen($cur_ban_ips[$i])) == $cur_ban_ips[$i])
+				{
+					$db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape($pun_user['username']).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
 					message($lang_common['Ban message'].' '.(($cur_ban['expire'] != '') ? $lang_common['Ban message 2'].' '.strtolower(format_time($cur_ban['expire'], true)).'. ' : '').(($cur_ban['message'] != '') ? $lang_common['Ban message 3'].'<br /><br /><strong>'.pun_htmlspecialchars($cur_ban['message']).'</strong><br /><br />' : '<br /><br />').$lang_common['Ban message 4'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.', true);
+				}
 			}
 		}
 	}
@@ -203,7 +212,7 @@
 	$now = time();
 
 	// Fetch all online list entries that are older than "o_timeout_online"
-	$result = $db->query('SELECT * FROM '.$db->prefix.'online WHERE logged<'.($now-$pun_config['o_timeout_online'])) or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
+	$result = $db->query('SELECT * FROM '.$db->prefix.'online WHERE logged<'.($now-$pun_config['o_timeout_online'])) or error('Unable to fetch old entries from online list', __FILE__, __LINE__, $db->error());
 	while ($cur_user = $db->fetch_assoc($result))
 	{
 		// If the entry is a guest, delete it
@@ -675,28 +684,7 @@
 //
 function get_remote_address()
 {
-	$remote_address = $_SERVER['REMOTE_ADDR'];
-
-	// If HTTP_X_FORWARDED_FOR is set, we try to grab the first non-LAN IP
-	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
-	{
-		if (preg_match_all('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_SERVER['HTTP_X_FORWARDED_FOR'], $address_list))
-		{
-			$lan_ips = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
-			$address_list = preg_replace($lan_ips, null, $address_list[0]);
-
-			while (list(, $cur_address) = each($address_list))
-			{
-				if ($cur_address)
-				{
-					$remote_address = $cur_address;
-					break;
-				}
-			}
-		}
-	}
-
-	return $remote_address;
+	return $_SERVER['REMOTE_ADDR'];
 }
 
 
@@ -1040,6 +1028,31 @@
 </div>
 <?php
 
+}
+
+
+//
+// Unset any variables instantiated as a result of register_globals being enabled
+//
+function unregister_globals()
+{
+	// Prevent script.php?GLOBALS[foo]=bar
+	if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS']))
+		exit('I\'ll have a steak sandwich and... a steak sandwich.');
+	
+	// Variables that shouldn't be unset
+	$no_unset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES');
+
+	// Remove elements in $GLOBALS that are present in any of the superglobals
+	$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
+	foreach ($input as $k => $v)
+	{
+		if (!in_array($k, $no_unset) && isset($GLOBALS[$k]))
+		{
+			unset($GLOBALS[$k]);
+			unset($GLOBALS[$k]);	// Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4
+		}
+	}
 }
 
 
diff -urN punbb-1.2.6/upload/include/parser.php punbb-1.2.14/upload/include/parser.php
--- punbb-1.2.6/upload/include/parser.php	Thu Jul  7 22:00:42 2005
+++ punbb-1.2.14/upload/include/parser.php	Sat May 20 17:42:34 2006
@@ -264,7 +264,7 @@
 {
 	global $pun_user;
 
-	$full_url = str_replace(' ', '%20', $url);
+	$full_url = str_replace(array(' ', '\'', '`', '"'), array('%20', '', '', ''), $url);
 	if (strpos($url, 'www.') === 0)			// If it starts with www, we add http://
 		$full_url = 'http://'.$full_url;
 	else if (strpos($url, 'ftp.') === 0)	// Else if it starts with ftp, we add ftp://
@@ -314,10 +314,10 @@
 	$pattern = array('#\[b\](.*?)\[/b\]#s',
 					 '#\[i\](.*?)\[/i\]#s',
 					 '#\[u\](.*?)\[/u\]#s',
-					 '#\[url\](.*?)\[/url\]#e',
-					 '#\[url=(.*?)\](.*?)\[/url\]#e',
-					 '#\[email\](.*?)\[/email\]#',
-					 '#\[email=(.*?)\](.*?)\[/email\]#',
+					 '#\[url\]([^\[]*?)\[/url\]#e',
+					 '#\[url=([^\[]*?)\](.*?)\[/url\]#e',
+					 '#\[email\]([^\[]*?)\[/email\]#',
+					 '#\[email=([^\[]*?)\](.*?)\[/email\]#',
 					 '#\[color=([a-zA-Z]*|\#?[0-9a-fA-F]{6})](.*?)\[/color\]#s');
 
 	$replace = array('<strong>$1</strong>',
diff -urN punbb-1.2.6/upload/include/search_idx.php punbb-1.2.14/upload/include/search_idx.php
--- punbb-1.2.6/upload/include/search_idx.php	Thu Jul  7 22:11:26 2005
+++ punbb-1.2.14/upload/include/search_idx.php	Mon Oct 31 23:37:20 2005
@@ -69,10 +69,8 @@
 	{
 		while (list($i, $word) = @each($words))
 		{
+			$words[$i] = trim($word, '.');
 			$num_chars = pun_strlen($word);
-
-			if (strrpos($word, '.') == ($num_chars-1))
-				$words[$i] = substr($word, 0, -1);
 
 			if ($num_chars < 3 || $num_chars > 20 || in_array($word, $stopwords))
 				unset($words[$i]);
diff -urN punbb-1.2.6/upload/install.php punbb-1.2.14/upload/install.php
--- punbb-1.2.6/upload/install.php	Thu Jul  7 22:43:44 2005
+++ punbb-1.2.14/upload/install.php	Sun Oct 15 18:40:20 2006
@@ -24,7 +24,7 @@
 
 
 // The PunBB version this script installs
-$punbb_version = '1.2.6';
+$punbb_version = '1.2.14';
 
 
 define('PUN_ROOT', './');
@@ -528,7 +528,7 @@
 			break;
 	}
 
-	$db->query($sql) or error('Unable to create table '.$db_prefix.'online. Please check your settings and try again.',  __FILE__, __LINE__, $db->error());
+	$db->query($sql) or error('Unable to create table '.$db_prefix.'config. Please check your settings and try again.',  __FILE__, __LINE__, $db->error());
 
 
 
@@ -757,7 +757,7 @@
 					poster_id INT(10) UNSIGNED NOT NULL DEFAULT 1,
 					poster_ip VARCHAR(15),
 					poster_email VARCHAR(50),
-					message TEXT NOT NULL DEFAULT '',
+					message TEXT,
 					hide_smilies TINYINT(1) NOT NULL DEFAULT 0,
 					posted INT(10) UNSIGNED NOT NULL DEFAULT 0,
 					edited INT(10) UNSIGNED,
@@ -774,7 +774,7 @@
 					poster_id INT NOT NULL DEFAULT 1,
 					poster_ip VARCHAR(15),
 					poster_email VARCHAR(50),
-					message TEXT NOT NULL DEFAULT '',
+					message TEXT,
 					hide_smilies SMALLINT NOT NULL DEFAULT 0,
 					posted INT NOT NULL DEFAULT 0,
 					edited INT,
@@ -791,7 +791,7 @@
 					poster_id INTEGER NOT NULL DEFAULT 1,
 					poster_ip VARCHAR(15),
 					poster_email VARCHAR(50),
-					message TEXT NOT NULL DEFAULT '',
+					message TEXT,
 					hide_smilies INTEGER NOT NULL DEFAULT 0,
 					posted INTEGER NOT NULL DEFAULT 0,
 					edited INTEGER,
@@ -852,7 +852,7 @@
 					forum_id INT(10) UNSIGNED NOT NULL DEFAULT 0,
 					reported_by INT(10) UNSIGNED NOT NULL DEFAULT 0,
 					created INT(10) UNSIGNED NOT NULL DEFAULT 0,
-					message TEXT NOT NULL DEFAULT '',
+					message TEXT,
 					zapped INT(10) UNSIGNED,
 					zapped_by INT(10) UNSIGNED,
 					PRIMARY KEY (id)
@@ -867,7 +867,7 @@
 					forum_id INT NOT NULL DEFAULT 0,
 					reported_by INT NOT NULL DEFAULT 0,
 					created INT NOT NULL DEFAULT 0,
-					message TEXT NOT NULL DEFAULT '',
+					message TEXT,
 					zapped INT,
 					zapped_by INT,
 					PRIMARY KEY (id)
@@ -882,7 +882,7 @@
 					forum_id INTEGER NOT NULL DEFAULT 0,
 					reported_by INTEGER NOT NULL DEFAULT 0,
 					created INTEGER NOT NULL DEFAULT 0,
-					message TEXT NOT NULL DEFAULT '',
+					message TEXT,
 					zapped INTEGER,
 					zapped_by INTEGER,
 					PRIMARY KEY (id)
@@ -901,7 +901,7 @@
 			$sql = 'CREATE TABLE '.$db_prefix."search_cache (
 					id INT(10) UNSIGNED NOT NULL DEFAULT 0,
 					ident VARCHAR(200) NOT NULL DEFAULT '',
-					search_data TEXT NOT NULL DEFAULT '',
+					search_data TEXT,
 					PRIMARY KEY (id)
 					) TYPE=MyISAM;";
 			break;
@@ -910,7 +910,7 @@
 			$sql = 'CREATE TABLE '.$db_prefix."search_cache (
 					id INT NOT NULL DEFAULT 0,
 					ident VARCHAR(200) NOT NULL DEFAULT '',
-					search_data TEXT NOT NULL DEFAULT '',
+					search_data TEXT,
 					PRIMARY KEY (id)
 					)";
 			break;
@@ -919,7 +919,7 @@
 			$sql = 'CREATE TABLE '.$db_prefix."search_cache (
 					id INTEGER NOT NULL DEFAULT 0,
 					ident VARCHAR(200) NOT NULL DEFAULT '',
-					search_data TEXT NOT NULL DEFAULT '',
+					search_data TEXT,
 					PRIMARY KEY (id)
 					)";
 			break;
diff -urN punbb-1.2.6/upload/login.php punbb-1.2.14/upload/login.php
--- punbb-1.2.6/upload/login.php	Thu Jul  7 19:35:30 2005
+++ punbb-1.2.14/upload/login.php	Sat May 20 17:52:04 2006
@@ -78,7 +78,7 @@
 	$expire = ($save_pass == '1') ? time() + 31536000 : 0;
 	pun_setcookie($user_id, $form_password_hash, $expire);
 
-	redirect($_POST['redirect_url'], $lang_login['Login redirect']);
+	redirect(htmlspecialchars($_POST['redirect_url']), $lang_login['Login redirect']);
 }
 
 
@@ -153,7 +153,7 @@
 			message($lang_login['Forget mail'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
 		}
 		else
-			message($lang_login['No e-mail match'].' '.$email.'.');
+			message($lang_login['No e-mail match'].' '.htmlspecialchars($email).'.');
 	}
 
 
diff -urN punbb-1.2.6/upload/misc.php punbb-1.2.14/upload/misc.php
--- punbb-1.2.6/upload/misc.php	Sun Jul  3 13:54:30 2005
+++ punbb-1.2.14/upload/misc.php	Sat May 20 17:52:04 2006
@@ -120,7 +120,7 @@
 
 		pun_mail($recipient_email, $mail_subject, $mail_message, '"'.str_replace('"', '', $pun_user['username']).'" <'.$pun_user['email'].'>');
 
-		redirect($_POST['redirect_url'], $lang_misc['E-mail sent redirect']);
+		redirect(htmlspecialchars($_POST['redirect_url']), $lang_misc['E-mail sent redirect']);
 	}
 
 
diff -urN punbb-1.2.6/upload/post.php punbb-1.2.14/upload/post.php
--- punbb-1.2.6/upload/post.php	Wed May  4 21:52:38 2005
+++ punbb-1.2.14/upload/post.php	Mon Oct 31 23:26:14 2005
@@ -338,7 +338,7 @@
 		if ($qid < 1)
 			message($lang_common['Bad request']);
 
-		$result = $db->query('SELECT poster, message FROM '.$db->prefix.'posts WHERE id='.$qid) or error('Unable to fetch quote info', __FILE__, __LINE__, $db->error());
+		$result = $db->query('SELECT poster, message FROM '.$db->prefix.'posts WHERE id='.$qid.' AND topic_id='.$tid) or error('Unable to fetch quote info', __FILE__, __LINE__, $db->error());
 		if (!$db->num_rows($result))
 			message($lang_common['Bad request']);
 
@@ -440,7 +440,7 @@
 else if (isset($_POST['preview']))
 {
 	require_once PUN_ROOT.'include/parser.php';
-	$message = parse_message($message, $hide_smilies);
+	$preview_message = parse_message($message, $hide_smilies);
 
 ?>
 <div id="postpreview" class="blockpost">
@@ -449,7 +449,7 @@
 		<div class="inbox">
 			<div class="postright">
 				<div class="postmsg">
-					<?php echo $message."\n" ?>
+					<?php echo $preview_message."\n" ?>
 				</div>
 			</div>
 		</div>
@@ -491,7 +491,7 @@
 if ($fid): ?>
 						<label><strong><?php echo $lang_common['Subject'] ?></strong><br /><input class="longinput" type="text" name="req_subject" value="<?php if (isset($_POST['req_subject'])) echo pun_htmlspecialchars($subject); ?>" size="80" maxlength="70" tabindex="<?php echo $cur_index++ ?>" /><br /></label>
 <?php endif; ?>						<label><strong><?php echo $lang_common['Message'] ?></strong><br />
-						<textarea name="req_message" rows="20" cols="95" tabindex="<?php echo $cur_index++ ?>"><?php echo isset($_POST['req_message']) ? pun_htmlspecialchars(trim($_POST['req_message'])) : (isset($quote) ? $quote : ''); ?></textarea><br /></label>
+						<textarea name="req_message" rows="20" cols="95" tabindex="<?php echo $cur_index++ ?>"><?php echo isset($_POST['req_message']) ? pun_htmlspecialchars($message) : (isset($quote) ? $quote : ''); ?></textarea><br /></label>
 						<ul class="bblinks">
 							<li><a href="help.php#bbcode" onclick="window.open(this.href); return false;"><?php echo $lang_common['BBCode'] ?></a>: <?php echo ($pun_config['p_message_bbcode'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
 							<li><a href="help.php#img" onclick="window.open(this.href); return false;"><?php echo $lang_common['img tag'] ?></a>: <?php echo ($pun_config['p_message_img_tag'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
diff -urN punbb-1.2.6/upload/profile.php punbb-1.2.14/upload/profile.php
--- punbb-1.2.6/upload/profile.php	Thu Jul  7 22:37:30 2005
+++ punbb-1.2.14/upload/profile.php	Tue Nov  1 01:27:30 2005
@@ -201,6 +201,9 @@
 	}
 	else if (isset($_POST['form_sent']))
 	{
+		if (pun_hash($_POST['req_password']) !== $pun_user['password'])
+			message($lang_profile['Wrong pass']);
+
 		require PUN_ROOT.'include/email.php';
 
 		// Validate the email-address
@@ -264,7 +267,7 @@
 	}
 
 	$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
-	$required_fields = array('req_new_email' => $lang_profile['New e-mail']);
+	$required_fields = array('req_new_email' => $lang_profile['New e-mail'], 'req_password' => $lang_common['Password']);
 	$focus_element = array('change_email', 'req_new_email');
 	require PUN_ROOT.'header.php';
 
@@ -279,6 +282,7 @@
 					<div class="infldset">
 						<input type="hidden" name="form_sent" value="1" />
 						<label><strong><?php echo $lang_profile['New e-mail'] ?></strong><br /><input type="text" name="req_new_email" size="50" maxlength="50" /><br /></label>
+						<label><strong><?php echo $lang_common['Password'] ?></strong><br /><input type="password" name="req_password" size="16" maxlength="16" /><br /></label>
 						<p><?php echo $lang_profile['E-mail instructions'] ?></p>
 					</div>
 				</fieldset>
@@ -362,12 +366,17 @@
 				message($lang_profile['Move failed'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
 
 			// Now check the width/height
-			list($width, $height, ,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
+			list($width, $height, $type,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
 			if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
 			{
 				@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
 				message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
 			}
+			else if ($type == 1 && $uploaded_file['type'] != 'image/gif')	// Prevent dodgy uploads
+			{
+				@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
+				message($lang_profile['Bad type']);
+			}			
 
 			// Delete any old avatars and put the new one in place
 			@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
@@ -708,6 +717,14 @@
 				$form['email'] = strtolower(trim($_POST['req_email']));
 				if (!is_valid_email($form['email']))
 					message($lang_common['Invalid e-mail']);
+			}
+
+			// Make sure we got a valid language string
+			if (isset($form['language']))
+			{
+				$form['language'] = preg_replace('#[\.\\\/]#', '', $form['language']);
+				if (!file_exists(PUN_ROOT.'lang/'.$form['language'].'/common.php'))
+						message($lang_common['Bad request']);
 			}
 
 			break;
diff -urN punbb-1.2.6/upload/register.php punbb-1.2.14/upload/register.php
--- punbb-1.2.6/upload/register.php	Thu May  5 00:26:04 2005
+++ punbb-1.2.14/upload/register.php	Sun Oct 15 18:31:20 2006
@@ -79,6 +79,13 @@
 
 else if (isset($_POST['form_sent']))
 {
+	// Check that someone from this IP didn't register a user within the last hour (DoS prevention)
+	$result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+
+	if ($db->num_rows($result))
+		message('A new user was registered with the same IP address as you within the last hour. To prevent registration flooding, at least an hour has to pass between registrations from the same IP. Sorry for the inconvenience.');
+
+
 	$username = pun_trim($_POST['req_username']);
 	$email1 = strtolower(trim($_POST['req_email1']));
 
@@ -166,12 +173,21 @@
 			$dupe_list[] = $cur_dupe['username'];
 	}
 
+	// Make sure we got a valid language string
+	if (isset($_POST['language']))
+	{
+		$language = preg_replace('#[\.\\\/]#', '', $_POST['language']);
+		if (!file_exists(PUN_ROOT.'lang/'.$language.'/common.php'))
+				message($lang_common['Bad request']);
+	}
+	else
+		$language = $pun_config['o_default_lang'];
+
 	$timezone = intval($_POST['timezone']);
-	$language = isset($_POST['language']) ? $_POST['language'] : $pun_config['o_default_lang'];
 	$save_pass = (!isset($_POST['save_pass']) || $_POST['save_pass'] != '1') ? '0' : '1';
 
 	$email_setting = intval($_POST['email_setting']);
-	if ($email_setting < 0 && $email_setting > 2) $email_setting = 1;
+	if ($email_setting < 0 || $email_setting > 2) $email_setting = 1;
 
 	// Insert the new user into the database. We do this now to get the last inserted id for later use.
 	$now = time();
diff -urN punbb-1.2.6/upload/search.php punbb-1.2.14/upload/search.php
--- punbb-1.2.6/upload/search.php	Thu Jul  7 18:58:46 2005
+++ punbb-1.2.14/upload/search.php	Sun Oct 15 18:36:14 2006
@@ -51,6 +51,7 @@
 	$action = (isset($_GET['action'])) ? $_GET['action'] : null;
 	$forum = (isset($_GET['forum'])) ? intval($_GET['forum']) : -1;
 	$sort_dir = (isset($_GET['sort_dir'])) ? (($_GET['sort_dir'] == 'DESC') ? 'DESC' : 'ASC') : 'DESC';
+	if (isset($search_id)) unset($search_id);
 
 	// If a search_id was supplied
 	if (isset($_GET['search_id']))
@@ -169,6 +170,7 @@
 
 				$word_count = 0;
 				$match_type = 'and';
+				$result_list = array();
 				@reset($keywords_array);
 				while (list(, $cur_word) = @each($keywords_array))
 				{
@@ -386,6 +388,7 @@
 
 
 		// Prune "old" search results
+		$old_searches = array();
 		$result = $db->query('SELECT ident FROM '.$db->prefix.'online') or error('Unable to fetch online list', __FILE__, __LINE__, $db->error());
 
 		if ($db->num_rows($result))
@@ -463,7 +466,7 @@
 			$sql = 'SELECT p.id AS pid, p.poster AS pposter, p.posted AS pposted, p.poster_id, '.$substr_sql.'(p.message, 1, 1000) AS message, t.id AS tid, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.forum_id FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id WHERE p.id IN('.$search_results.') ORDER BY '.$sort_by_sql;
 		}
 		else
-			$sql = 'SELECT t.id AS tid, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id WHERE t.id IN('.$search_results.') GROUP BY t.id, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id'.$group_by_sql.' ORDER BY '.$sort_by_sql;
+			$sql = 'SELECT t.id AS tid, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id FROM '.$db->prefix.'topics AS t WHERE t.id IN('.$search_results.') GROUP BY t.id, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id'.$group_by_sql.' ORDER BY '.$sort_by_sql;
 
 
 		// Determine the topic or post offset (based on $_GET['p'])
diff -urN punbb-1.2.6/upload/style/imports/base.css punbb-1.2.14/upload/style/imports/base.css
--- punbb-1.2.6/upload/style/imports/base.css	Tue Feb  1 17:16:46 2005
+++ punbb-1.2.14/upload/style/imports/base.css	Tue Oct 10 17:48:32 2006
@@ -43,12 +43,19 @@
 
 DIV>DIV>DIV.postfootleft, DIV>DIV>DIV.postfootright {PADDING-TOP: 1px; MARGIN-TOP: -1px}
 
-/* 3.2 This is only visible to IE Windows and cures various bugs. Do not alter comments */
-
-/* Begin IEWin Fix \*/
-* HTML .inbox, * HTML .inform, * HTML .pun, * HTML .intd, * HTML .tclcon {HEIGHT: 1px}
+/* 3.2 This is only visible to IE6 Windows and cures various bugs. Do not alter comments */
+
+/* Begin IE6Win Fix \*/
+* HTML .inbox, * HTML .inform, * HTML .pun, * HTML .intd, * HTML .tclcon {HEIGHT: 1px}
 * HTML .inbox DIV.postmsg {WIDTH: 98%}
-/* End of IEWin Fix */
+/* End of IE6Win Fix */
+
+/* 3.3 This is the equivelant of 3.2 but for IE7. It is visible to other browsers
+but does no harm */
+
+/*Begin IE7Win Fix */
+.pun, .pun .inbox, .pun .inform, .pun .intd, .pun .tclcon {min-height: 1px}
+/* End of IE7Win Fix */
 
 /****************************************************************/
 /* 4. HIDDEN ELEMENTS */
diff -urN punbb-1.2.6/upload/userlist.php punbb-1.2.14/upload/userlist.php
--- punbb-1.2.6/upload/userlist.php	Thu Mar  3 02:08:18 2005
+++ punbb-1.2.14/upload/userlist.php	Sat May 20 17:53:30 2006
@@ -116,7 +116,7 @@
 	$where_sql[] = 'u.group_id='.$show_group;
 
 // Fetch user count
-$result = $db->query('SELECT COUNT(id) FROM '.$db->prefix.'users AS u'.(!empty($where_sql) ? ' WHERE u.id>1 AND '.implode(' AND ', $where_sql) : '')) or error('Unable to fetch user list count', __FILE__, __LINE__, $db->error());
+$result = $db->query('SELECT COUNT(id) FROM '.$db->prefix.'users AS u WHERE u.id>1'.(!empty($where_sql) ? ' AND '.implode(' AND ', $where_sql) : '')) or error('Unable to fetch user list count', __FILE__, __LINE__, $db->error());
 $num_users = $db->result($result);
 
 
diff -urN punbb-1.2.6/upload/viewforum.php punbb-1.2.14/upload/viewforum.php
--- punbb-1.2.6/upload/viewforum.php	Tue Feb  1 17:16:46 2005
+++ punbb-1.2.14/upload/viewforum.php	Thu Sep 22 00:39:32 2005
@@ -242,7 +242,7 @@
 
 <div class="linksb">
 	<div class="inbox">
-		<p class="pagelink conl"><?php echo $lang_common['Pages'].': '.paginate($num_pages, $p, 'viewforum.php?id='.$id) ?></p>
+		<p class="pagelink conl"><?php echo $paging_links ?></p>
 <?php echo $post_link ?>
 		<ul><li><a href="index.php"><?php echo $lang_common['Index'] ?></a>&nbsp;</li><li>&raquo;&nbsp;<?php echo pun_htmlspecialchars($cur_forum['forum_name']) ?></li></ul>
 		<div class="clearer"></div>