L
Latest phpBB.com announcements
Guest
- #1
Thread Owner:
Latest phpBB.com announcements
Greetings everyone,
We are pleased to announce the release of phpBB 3.3.16 “Bertie in scrubs”. This version is a maintenance and security release of the 3.3.x branch which fixes three security issues, introduces a number of improvements aimed at enhancing the user experience and overall stability of the software and resolves some issues noticed in previous releases.
In previous versions, phpBB has been relying on information from the webserver to build the password reset link URL. Depending on the phpBB and server configuration these might not be properly filtered which could result in attacker controlled URLs being sent as password reset email URL. We’d like to thank Seong Hun Jeong (HunSec) for reporting this issue to us on HackerOne.
Furthermore, improper access checks when quoting posts in private messages allowed users access to posts that are marked as soft-deleted or unapproved even if those are not normally visible to the respective users. Another issue with improper form key checks in the report post functionality was noticed, which could potentially be used to submit reports on behalf of a user without the user’s consent or intention. We’d like to thank the GitHub Security Lab Team for reporting these two issues to us.
In addition to these, an improper check while marking board notifications read was discovered. This could potentially be used to alter the read state of board notifications for other users. We’d like to thank Liao Shuang for reporting this issue to us.
Additional hardening for downloading attachments was added with improved handling of non-rasterized images to prevent possible XSS attacks on misconfigured web servers.
The improvements in phpBB 3.3.16 include the reintroduction of authentication for RSS/Atom feeds as well as adding the ability to restart the installer, e.g. in case of issues during the install process.
Notable bug fixes in this release are additional fixes for displaying posts in ascending order that could have resulted in not chronological order, issues with reverting some migrations, and a potential fatal error when downloading files with a specific byte range. Additionally, the WHOIS lookup requests stopped returning details such as country or provider. With the adjustments phpBB is now compatible with the current state of ARIN/RIPE services and will return these details again.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release below and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=16890
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: Matt Friedman, rxu, Kailey M. Snay, battye, Daniel James, Christian Schnegelberger, LukeWCS, Neo-CTC, IdfbAn, Patrick Webster, Robert Korulczyk, cabot
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Continue reading...
We are pleased to announce the release of phpBB 3.3.16 “Bertie in scrubs”. This version is a maintenance and security release of the 3.3.x branch which fixes three security issues, introduces a number of improvements aimed at enhancing the user experience and overall stability of the software and resolves some issues noticed in previous releases.
In previous versions, phpBB has been relying on information from the webserver to build the password reset link URL. Depending on the phpBB and server configuration these might not be properly filtered which could result in attacker controlled URLs being sent as password reset email URL. We’d like to thank Seong Hun Jeong (HunSec) for reporting this issue to us on HackerOne.
Furthermore, improper access checks when quoting posts in private messages allowed users access to posts that are marked as soft-deleted or unapproved even if those are not normally visible to the respective users. Another issue with improper form key checks in the report post functionality was noticed, which could potentially be used to submit reports on behalf of a user without the user’s consent or intention. We’d like to thank the GitHub Security Lab Team for reporting these two issues to us.
In addition to these, an improper check while marking board notifications read was discovered. This could potentially be used to alter the read state of board notifications for other users. We’d like to thank Liao Shuang for reporting this issue to us.
Additional hardening for downloading attachments was added with improved handling of non-rasterized images to prevent possible XSS attacks on misconfigured web servers.
The improvements in phpBB 3.3.16 include the reintroduction of authentication for RSS/Atom feeds as well as adding the ability to restart the installer, e.g. in case of issues during the install process.
Notable bug fixes in this release are additional fixes for displaying posts in ascending order that could have resulted in not chronological order, issues with reverting some migrations, and a potential fatal error when downloading files with a specific byte range. Additionally, the WHOIS lookup requests stopped returning details such as country or provider. With the adjustments phpBB is now compatible with the current state of ARIN/RIPE services and will return these details again.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release below and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=16890
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: Matt Friedman, rxu, Kailey M. Snay, battye, Daniel James, Christian Schnegelberger, LukeWCS, Neo-CTC, IdfbAn, Patrick Webster, Robert Korulczyk, cabot
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Continue reading...