• Welcome to Web Hosting Community Forum for Webmasters - Web hosting Forum.
 

Recommended Providers

Fully Managed WordPress Hosting
lc_banner_leadgen_3
Fully Managed WordPress Hosting

WordPress Theme

Divi WordPress Theme
WPZOOM

Forum Membership

Forum Membership

phpBB 3.0.13 Release

Started by Kailash, January 30, 2015, 10:19:54 AM

Kailash

NOTE: This is a security update for phpBB 3.0.x branch. You do not need to install this update if you are running phpBB 3.1.x.

Official announcement:
------------------------------------------------------
Announcement URL: https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456

Greetings fellow phpBB users,

We are pleased to announce the "Return of the Bertie" release of phpBB 3.0.13. This version is a security and maintenance release of the 3.0.x branch which hardens phpBB against potential attacks and fixes a number of bugs. You do not need to install this update if you are running phpBB 3.1.x.

The first vulnerability is a CSRF potentially allowing an attacker to modify the private message setting that determines how full folders are handled (i.e. whether to delete the oldest message or hold the new message until further space is available). Users FBNeal and lampsys independently reported the issue to us.

The second issue, reported to us by James Kettle, allows an attacker to load arbitrary CSS in Internet Explorer by crafting a URL with trailing paths after a PHP file (for example /path/index.php/more/path). This is only possible if the webserver configuration allows accessing PHP files in this manner. This can be exploited directly on Internet Explorer 7 or below, and on newer versions of Internet Explorer by using a frame that forces outdated rendering behavior.

Neither of these issues affect phpBB 3.1.x.
------------------------------------------------------

If you are using phpBB 3.0.x version, it is highly recommended that you upgrade it as soon as possible.

- Kailash