L
Latest phpBB.com announcements
Guest
- #1
Thread Owner:
Latest phpBB.com announcements
Greetings everyone,
We are pleased to announce the release of phpBB 3.3.17 “Young Bertie”. This version is a maintenance and security release of the 3.3.x branch which fixes four security issues. Please update to this new version as soon as possible.
phpBB 3.3.17 also adds further hardening, introduces improvements to the OAuth flow, and resolves some issues noticed in previous releases.
Improper verification of access permissions while setting permissions in the ACP could have allowed a malicious administrator to exceed the permission level granted to them. We’d like to thank UdinChan for reporting this issue to us on HackerOne.
Another potential issue affected a profile field migration that did not handle user data adequately and could have resulted in a potential SQL injection via the profile field data. This only affected phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet. We’d like to thank Anteater (giant_anteater) for reporting this issue to us on HackerOne.
Furthermore, two separate improper checks in the previous OAuth implementation could have been used to hijack user accounts. One of these did not require OAuth to be configured or enabled. We’d like to thank Aikido Security (aikido.dev) for reporting to us via HackerOne, as well as Dan Stefan Alexandru of Pentest-Tools.com and Himanshu Anand for reporting to us via email.
While improving the OAuth code we opted to partially refactor the current implementation to resolve some additional known issues with the redirect URLs and have instead moved the OAuth workflow to use controllers instead. As a side effect of this change, you will have to adjust the redirect URI for your OAuth provider. Previously, the OAuth implementation required two redirect URIs. For Google this was e.g.:
With the refactored changes, this will change to e.g.:
If you have URL rewriting enabled, you can also omit the
Additional hardening for hostname lookups and the secure downloads referrer checking has been introduced.
A notable bug fix in this release resolves a potential issue with the uninstallation of extensions that was introduced with recent changes in phpBB 3.3.16. Additionally, an installation issue during the check filesystem step was resolved.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release below and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=16990
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: Kailey M. Snay, Matt Friedman, Christian Schnegelberger
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Continue reading...
We are pleased to announce the release of phpBB 3.3.17 “Young Bertie”. This version is a maintenance and security release of the 3.3.x branch which fixes four security issues. Please update to this new version as soon as possible.
phpBB 3.3.17 also adds further hardening, introduces improvements to the OAuth flow, and resolves some issues noticed in previous releases.
Improper verification of access permissions while setting permissions in the ACP could have allowed a malicious administrator to exceed the permission level granted to them. We’d like to thank UdinChan for reporting this issue to us on HackerOne.
Another potential issue affected a profile field migration that did not handle user data adequately and could have resulted in a potential SQL injection via the profile field data. This only affected phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet. We’d like to thank Anteater (giant_anteater) for reporting this issue to us on HackerOne.
Furthermore, two separate improper checks in the previous OAuth implementation could have been used to hijack user accounts. One of these did not require OAuth to be configured or enabled. We’d like to thank Aikido Security (aikido.dev) for reporting to us via HackerOne, as well as Dan Stefan Alexandru of Pentest-Tools.com and Himanshu Anand for reporting to us via email.
While improving the OAuth code we opted to partially refactor the current implementation to resolve some additional known issues with the redirect URLs and have instead moved the OAuth workflow to use controllers instead. As a side effect of this change, you will have to adjust the redirect URI for your OAuth provider. Previously, the OAuth implementation required two redirect URIs. For Google this was e.g.:
https://{your_board_URL}/ucp.php?mode=login&login=external&oauth_service=googlehttps://{your_board_URL}/ucp.php?i=ucp_auth_link&mode=auth_link&link=1&oauth_service=googleWith the refactored changes, this will change to e.g.:
https://{your_board_URL}/app.php/user/oauth/authenticate/googleIf you have URL rewriting enabled, you can also omit the
app.php/ part. A second URI is no longer needed. You will have to update the redirect URI in your configurations at the OAuth tenants such as Google or Facebook.Additional hardening for hostname lookups and the secure downloads referrer checking has been introduced.
A notable bug fix in this release resolves a potential issue with the uninstallation of extensions that was introduced with recent changes in phpBB 3.3.16. Additionally, an installation issue during the check filesystem step was resolved.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release below and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=16990
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: Kailey M. Snay, Matt Friedman, Christian Schnegelberger
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Continue reading...