Just for your Info
l.i. Changes since 2.0.9
Fixed deleting of styles in admin_styles.php
Fixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
Added code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at http://www.phpbb.com.
Fixed bug in admin_board.php for board settings having single quotes in it
Fixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
Fixed forum jumpbox propagating session id in moderator control pages
Added check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
Fixed visual confirmation code. The image was not created due to a wrong regular expression.
l.ii. Changes since 2.0.8
Fixed one vulnerability in admin_board.php - Xore
Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
Fixed injection vulnerabilities possible with linked avatars
Implemented unsetting globalised variables
Limited confirm switch to POST variable in posting
Changed IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
Updated visual confirmation mod [pre-edited files]
Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
Added the ability to link to https/ftps sites using the img bbcode tag
Fixed user online information in admin/index.php
Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
Fixed problem with SID not delivered to next page in groupcp.php
l.iii. Changes since 2.0.7
Fixed several vulnerabilities in admin pages
Fixed sid checking code in admin/pagestart.php
Fixed injection vulnerabilities possible with the img bbcode tag
Limited allowed images in img bbcode tag to jpg, jpeg, gif and png
Fixed redirect problems - 2.0.7a
Fixed sql injection vulnerability in search - 2.0.7a
Fixed sql injection vulnerability in privmsg - 2.0.8a
l.i. Changes since 2.0.9
Fixed deleting of styles in admin_styles.php
Fixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
Added code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at http://www.phpbb.com.
Fixed bug in admin_board.php for board settings having single quotes in it
Fixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
Fixed forum jumpbox propagating session id in moderator control pages
Added check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
Fixed visual confirmation code. The image was not created due to a wrong regular expression.
l.ii. Changes since 2.0.8
Fixed one vulnerability in admin_board.php - Xore
Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
Fixed injection vulnerabilities possible with linked avatars
Implemented unsetting globalised variables
Limited confirm switch to POST variable in posting
Changed IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
Updated visual confirmation mod [pre-edited files]
Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
Added the ability to link to https/ftps sites using the img bbcode tag
Fixed user online information in admin/index.php
Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
Fixed problem with SID not delivered to next page in groupcp.php
l.iii. Changes since 2.0.7
Fixed several vulnerabilities in admin pages
Fixed sid checking code in admin/pagestart.php
Fixed injection vulnerabilities possible with the img bbcode tag
Limited allowed images in img bbcode tag to jpg, jpeg, gif and png
Fixed redirect problems - 2.0.7a
Fixed sql injection vulnerability in search - 2.0.7a
Fixed sql injection vulnerability in privmsg - 2.0.8a
Comment