Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > October 2005 > phpBB - phpBB 2.0.18 released

October 2005

phpBB - phpBB 2.0.18 released

ID: 00964
Ref: 902/05
Date: 31 October 2005:10:27:33
Version: 1
Title: phpBB - phpBB 2.0.18 released
Abstract:
Vendors affected: phpBB
Operating systems affected: phpBB
Applications affected: phpBB

Title
=====
phpBB - phpBB 2.0.18 released


Detail
======

The phpBB Group is pleased to announce the release of phpBB 2.0.18, "The Halloween
Special" release.

This is a major update to the 2.0.x codebase and includes fixes for numerous bugs
reported by users to our Bug Tracker, as well as updates to those issues identified
by the recent security audit of the code and a couple of security issues reported
to us. In addition we have backported a further feature from our "Olympus" codebase
to change the way automatic logins are handled.

We would like to thank all of those who take part in the security audit of the code
for their work.

Please read the original announcement at http://www.phpbb.com/phpBB/viewtopic.php?t=336756

The changes:

- - [Fix] incorrect handling of password resets if admin activation is enabled
(Bug #88)
- - [Fix] retrieving category rows in index.php (Bug #90)
- - [Fix] improved index performance by determining the permissions before iterating
through all forums (Bug #91)
- - [Fix] wrong topic redirection after login redirect (Bug #94)
- - [Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
- - [Fix] incorrect removal of bbcode_uid values if bbcode has been turned off
(Bug #100)
- - [Fix] correctly preview signature if editing other users posts (Bug #101)
- - [Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php
and usercp_viewprofile.php (Bug #102)
- - [Fix] consistent forum ordering in all dropdown boxes (Bug #106)
- - [Fix] correctly get compression status in page_tail.php and page_footer_admin.php
(Bug #117)
- - [Fix] set page title on summary page of groupcp.php (bug #125)
- - [Fix] correctly test style and avatar in
- -----BEGIN PGP SIGNED MESSAGE-----

usercp_register.php
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBQ2Xt54pao72zK539AQGhbwQAlzDdL5DmCwXIi0sLtJ1JZloV9niFyaRN
rryOnP4lyRXc3nyhYcJcBQ/WR5QcDaoqXurlspC2vH4Ac9YjqBjLwXEM3WpzXj2Q
Djl2g7I/OygCQOrOiIT62A4O950NxpC48FOaNy/n1KHjioR8rJbBNcS/95S7vr46
ml9TAntXLY0=
=p1z5
- -----END PGP SIGNATURE-----
(bug #129 and #317)
- - [Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
- - [Fix] handling of both forms of translation information used in language packs
(Bug #159)
- - [Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
- - [Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
- - [Fix] incorrect handling of move stubs (Bug #179)
- - [Fix] wrong mode_type in memberlist (Bug #187)
- - [Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
- - [Fix] removed unused variable from topic_notify email template (Bug #210)
- - [Fix] removed unset variable from smilies popup window title (Bug #224)
- - [Fix] removed duplicate template assignment from admin_board.php (Bug #226)
- - [Fix] incorrect search link for guest posts in modcp.php (Bug #254)
- - [Fix] all users removed from topics watch table on special occassions (Bug #271)
- - [Fix] correctly check returned value from strpos in append_sid function (Bug #275)
- - [Fix] correctly display username in private message notification (Bug #278)
- - [Fix] fixed "var-by-ref" errors (Bug #322)
- - [Fix] changed redirection to installation (Bug #325)
- - [Fix] added timout of 10 seconds to version check (Bug #348)
- - [Fix] fixed user_level default in postgresql schema file (Bug #444)
- - [Fix] multiple minor HTML issues with subSilver
- - [Change] deprecated the use of some PHP 3 compatability functions in favour of
the native equivalents
- - [Change] added 60 days limit for grabbing unread topics in index.php

- - [Sec] backport of session keys system from olympus
- - [Sec] fixed email bans to use the same pattern as email validation and allow
wildcard domain bans
- - [Sec] fixed validation of topic type when posting
- - [Sec] unset database password once it is no longer needed
- - [Sec] fixed potential to select images outside the specified path as avatars or
smilies
- - [Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
- - [Sec] changed avatar gallery code sections to prevent possible injection points
(AnthraX101)
- - [Sec] signature field is not properly sanitised for user input when an error
occurs while accessing the avatar gallery (AnthraX101)
- - [Sec] check to_username and ownership when editing a PM (AnthraX101)
- - [Sec] fixed ability to edit PM's you did not send (depablo84)
- - [Sec] compare imagetype on avatar uploading to match the file extension from
uploaded file

the phpBB Group,



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |