phpBB 3.0 RC7

Posted on Thursday, October 18 2007 @ 0:44 CEST by Thomas De Maesschalck

We are very pleased to announce the availability of the phpBB3 RC7 package, the "We are sorry and love our support team" edition. This release fixes some critical issues which arised with the recently released Release Candidate 6, basically fixing some bbcode problems as well as missing form tokens. On the downloads page we provide two update packages this time, one for going from RC5 to RC7 and one for going from RC6 to RC7.

This release is mostly the outcome of an external security audit performed by SektionEins. All items tagged as [Sec] were found by the company doing the audit and revealed some fundamental problems we were able to fix. We are proud that the audit revealed no sql injection vulnerability or critical command execution vulnerabilities.

RC6/RC7 has seen some improvements as well as fixing some security issues. Some important fixes are:

[Fix] Further fixing user profile view (please do not forget to update/refresh your template and style) (Bug #14230)
[Fix] Adjust google adsense bot information (Bug #14296)
[Fix] Fix horizontal scrollbar problem in IE6 (Bug #14228) - fix provided by Danny-dev
[Fix] Correctly set user style for guest user (able to be changed within user management)
[Change] Moved note about dns_get_record function for using GTalk (Jabber) from Jabber log to Jabber ACP panel
[Fix] Do not use register_shutdown_function within cron.php if handling the queue and the mail function being used (Bug #14321)
[Fix] Fixing private message on-hold code if moving messages into folder based on rules (Bug #14309)
[Fix] Allow the merge selection screen to work (Bug #14363)
[Change] Require additional permissions for copying permission when editing forums
[Fix] Local magic URLs no longer get an additional trailing slash (Bug #14362)
[Fix] Do not let the cron script stale for one hour if register_shutdown_function is not able to be called (Bug #14436)
[Feature] Added /includes/db/db_tools.php file, which includes tools for handling cross-db actions such as altering columns, etc.
[Fix] Fixed token handling in jabber class for extremely spec-compliant XMPP server (Bug #14445)
[Change] Listing the board url within the email text instead of appending it to the subject (Bug #14378)
[Fix] Use correct dimension (width x height) in ACP (Bug #14452)
[Feature] Added completely new hook system to allow better application/mod integration - see docs/hook_system.html
[Fix] Fixing google cache display problems with Firefox (Bug #14472) - patch provided by Raimon
[Change] Allow years in future be selected for date custom profile field (Bug #14519)
[Feature] Added an option to enforce that users spend a configurable amount of time on the terms page during registration
[Sec] Fixing possible XSS through compromised WHOIS server (#i63, #i64)
[Sec] Missing access control on whois in viewonline.php (#i51)
[Sec] Encoding some variables within user::page array correctly (to cope with browser not doing it correctly) to prevent XSS through functions re-using them (#i61)
[Sec] Fixed XSS through memberlist search feature (#i62)
[Sec] Fixed XSS through colour swatch (#i65)
[Sec] Fixed insecure attachment deletion (#i53)
[Sec] Only allow whitelisted protocols in meta_redirect/redirect (#i66)
[Sec] Check file names to be written in language management panel (#i52)
[Sec] Deregister globals if ini_get has been disabled (#i112)
[Sec] Added form tokens to most forms to enforce a lighter variant of CSRF protection (#i91 - #i96)
[Sec] Use new password hash method for forum passwords (#i43)
[Sec] Changed download file location to prevent flash crossdomain policies taking effect (#i8)
[Sec] Do not allow autocompletion for password on admin re-authentication (#i41)
[Sec] Made sure users are not completely locked out if they have a GLOBALS cookie (#i101)
[Sec] Use the secure hash to generate BBCODE_UIDs (#i71)
[Sec] Increase the length of BBCODE_UIDs (#i72)
[Sec] New password hashing mechanism for storing passwords (#i42)