phpBB 2.0.11 :: Changelog

phpBB 2.0.11 CHANGELOG

Changelog

Changes since 2.0.10
Changes since 2.0.9
Changes since 2.0.8
Changes since 2.0.7
Changes since 2.0.6
Changes since 2.0.5
Changes since 2.0.4
Changes since 2.0.3
Changes since 2.0.2
Changes since 2.0.1
Changes since 2.0.0
Changes since RC-4
Changes since RC-3
Changes since RC-2
Changes since RC-1
Changes since RC-1 (pre)

Disclaimer

1. Changelog

This is a non-exhaustive (but still near complete) changelog for phpBB 2.0.x including beta and release candidate versions. Our thanks to all those people who've contributed bug reports and code fixes.

l.i. Changes since 2.0.10

Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible)
Fixed unsetting global vars - Matt Kavanagh
Fixed XSS vulnerability in username handling - AnthraX101
Fixed not confirmed sql injection in username handling - warmth
Added check for empty topic id in topic_review function
Added visual confirmation mod to code base

l.ii. Changes since 2.0.9

Fixed deleting of styles in admin_styles.php
Fixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
Added code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at http://www.phpbb.com.
Fixed bug in admin_board.php for board settings having single quotes in it
Fixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
Fixed forum jumpbox propagating session id in moderator control pages
Added check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
Fixed visual confirmation code. The image was not created due to a wrong regular expression.

l.iii. Changes since 2.0.8

Fixed one vulnerability in admin_board.php - Xore
Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
Fixed injection vulnerabilities possible with linked avatars
Implemented unsetting globalised variables
Limited confirm switch to POST variable in posting
Changed IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
Updated visual confirmation mod [pre-edited files]
Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
Added the ability to link to https/ftps sites using the img bbcode tag
Fixed user online information in admin/index.php
Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
Fixed problem with SID not delivered to next page in groupcp.php

l.iv. Changes since 2.0.7

Fixed several vulnerabilities in admin pages
Fixed sid checking code in admin/pagestart.php
Fixed injection vulnerabilities possible with the img bbcode tag
Limited allowed images in img bbcode tag to jpg, jpeg, gif and png
Fixed redirect problems - 2.0.7a
Fixed sql injection vulnerability in search - 2.0.7a
Fixed sql injection vulnerability in privmsg - 2.0.8a

1.v. Changes since 2.0.6

Fixed several vulnerabilities in modcp - Robert Lavierck
Changed whois lookup address within admin index
Fixed potential vulnerability in viewtopic postorder - 2.0.6d
Updates to cope with Zend Optimizer 2.5 problems - 2.0.6d - jetset
Force specialcharing of redirect variable in login - Pit
Fixed potential vulnerability in viewtopic postdays - GulfTech Security Research
Fixed potential vulnerability in viewforum topicdays - GulfTech Security Research
Fixed potential vulnerability in modcp
Fixed potential vulnerability in avatar gallery

1.vi. Changes since 2.0.5

Fixed various email issues
Fixed registration email bug with Administrator Confirmation used
Fixed mass emailer
Fixed long post time issue
Fixed bug with usernames containing single quotes
Fixed word list bug - Word boundaries were not considered
Fixed vulnerability in style admin
Fixed sql injection vulnerability in viewtopic
Fixed vulnerability allowing server side variable access in search - tendor
Fixed potential vulnerability in 2.0.5 login username entry - throw away/eomer
Fixed sql injection with reset date format field in profile - tendor

1.vii. Changes since 2.0.4

Removed user facing session_id checks
Fixed user self-activation after deactivation
Fixed incorrect functioning of phpbb_realpath
Fixed wrong path to database schema files within the upgrade script
Fixed double quote problem with username validation
Allow & within email addresses
Fixed email validation for banned email addresses
Removed underline from email domain validation
Fixed redirection for sentbox folder, installation and email
Fixed poll deletion
Fixed Mozilla navigation bar
Fixed URL bbcode parsing
Fixed database timeouts while searching the forums
Fixed wrong email return path in admin mass mailing - netclectic
Fixed MS-SQL failures within the update script
Fixed memberlist sort order
Fixed not showing leading spaces within Code BBCode
Fixed problem with adding double quotes to subject titles
Remove username input field from profile when user cannot change name
Fixed pagination error with highlighting
Fixed errors if no smilies are installed
Fixed CSS issues with IE 5.2 on MacOS X
Fixed missing sid propagation problem within the Moderator Control Panel
Fixed language variables within Authentication error output
Removed doubled CSS class definitions within input fields
Fixed username change within the Administration Panel
Added missing <tr> tags to index_body.tpl
Added missing username language variable to admin index page
Fixed moderator status update if a usergroup got deleted
Fixed poll handling upon post edit
Fixed remove common words from search table if post get pruned - Nuttzy99
Fixed behaviour on splitting topics if no checkbox is selected
Anonymous is no longer displayed within Username dropdown boxes
Fixed viewprofile redirection if an invalid mode was specified
Fixed fraction settings within determining common words - Novan
Prevent admin change usernames to his own within the ACP
Activation email is sent to all admins
Fixed conversion of & to & in appropriate cases
Fixed display of "greater than topics per page" announcements preventing display of normal posts
Added variable checks to database backup and restore screen
Prevented pm popup window from resetting after visiting avatar gallery
Fixed special character handling with word censor
Added SID to jumpbox
Fixed problems with usernames using html special chars
Added GMT + 13 to English lang_main, all translators are encouraged to do likewise
Deleted doubled 'U_MEMBERLIST' assignment from page_header.php
Fixed wrong display of Signature Checkbox while editing Private Message
Fixed disappearing post text if emoticon was inserted directly after pressing a BBCode button
Display correct alt-tag for smilies within postings
Prevented the ability to apply BBCode to website contents
Fixed maxlength issue with password field in login_body.tpl
Fixed possible username duplication issue with validation and username length
Fixed split words function to handle additional foreign characters
Changed empty email To Field to use a non-disclosure delimiter
Fixed wrong language var in install.php - FTP Config screen
Fixed alt tag for locked topic images in viewforum_body.tpl
Fixed typo in groupcp.php - $lang['Unsub_success'] instead of $lang['Usub_success']
Fixed timezone display
Fixed wrong display of author quote tag within profile - Cl1mh4224rd
Added deletion of sessions of users whose account is deactivated
Added mail header X-MimeOLE to the emailer class
Prevent registration if user is logged in or user trying to register again
Prevent usage of char(255) in usernames
Added check for additional FORWARDED_FOR IP's - cosmos
Fixed handling of non-selection of option when voting
Fixed potential xss issue with memberslist mode
Default English support for visual confirmation - translators are encouraged to support this

1.viii. Changes since 2.0.3

Fixed cross-browser scripting issue with highlight param
Back-ported highlighting code from phpBB 2.2
Add session id validation to posting, profile, email, voting - Edwin van Vliet
Added {S_HIDDEN_FIELDS} template var to profile_send_email.tpl
Added "intval" fix for flood check, may resolve some issues
Added missing index to post_id for search_wordmatch
Fixed spelling error in search add words preventing use of stopword list
Fixed issue with search common words not being run
Introduce viewtopic resync patch by Ashe
Replace a for n in templating code
Fixed ordering in memberslist
Fixed group_id sequence issues with pgsql and msaccess
Fixed assumption of word censors in user notification
Fixed incorrect display of quotes in user management fields
Fixed entry of special chars in all profile fields - note this may cause temporary issues
Fixed incorrect display of quotes when using avatar gallery
Fixed missing username in email sent to users when admin activated
Added check for non-empty smiley code and url in smiley admin
Prevent display of -- sig seperator in emails when no board sig exists
Fixed URL propagated sid issues with jumpbox
Fixed wrong mode name check (polldelete) in functions_post
Added missing root path to l10n image path check
Remove validation of fields when deleting a user
Fixed sort mode select box in memberslist to default to