Recently, phpBB 3.0.7 was released by phpbb.com. They discovered a new security vulnerability in phpBB 3.0.7 version which was not noticed during testing. Following is the original announcement:
We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn’t noticed during testing and has only surfaced a week
after the release of 3.0.7.
We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it
is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:
– Feeds are enabled
– Any of the posts or topics feeds are enabled
– The unauthorised user – or one of the groups they are a member of – has forum permissions set on a private forum
– If you have excluded a forum from the list of forums that provide feeds, it is unaffected
The fix for the issue is a single line change inside of feed.php, line 525 has changed from:
$forum_ids = array_keys($auth->acl_getf('f_read'));
$forum_ids = array_keys($auth->acl_getf('f_read', true));
There were no other changes, in particular neither style nor language changes.
If you are using phpBB 3.0.7 it is strongly recommend to upgrade it immediately to to phpBB 3.0.7-PL1 version.