phpBB • Creating Communities Worldwide

[psoTFX]

This is a reminder to all users to upgrade as soon as possible to 2.0.11. Remember, the issue leading to this release was extremely serious. It gave rise to the possibility for persons to "install" scripts, delete files and otherwise access your system. If you have upgraded, be sure to check your account/system for suspicious files, etc. If you have any concerns please raise them in the support forum here at phpbb.com.

You should always be aware of what files are present on your system, that is good practice. If you run your own server you should install (wherever) possible tripwire or similar applications to limit the potential damage exploits (in phpBB and other software) may cause.

Now, let me reiterate something ... we do take security issues seriously. It's incredibly infuriating for us to read comments such as "I don't think the developers do take these things seriously", utter utter tripe and bolderdash. Equally we have complaints about notifications of new releases. I agree, something which pushes info on new releases is required. I've noted this internally before and perhaps now we'll get this implemented. However you can be notified of new package availability by "Monitoring" the phpBB releases at Sourceforge.

Please be aware that you should be fully aware of what software you are using. While we can (and will) do better at giving users notification in future it is your installation ... always keep an eye out for new releases, be it phpBB or anything else.

[dhn]

I'm bumping this as a further reminder to all users to UPGRADE TO 2.0.11 if they haven't already. If you visit or know of a phpBB board running versions below 2.0.11 please contact the admins/moderators of that board and tell them of 2.0.11.

Today another wonderful experiment in how to do harm seems to have been unleashed, the Santy.A worm. This little perl script makes use of the highlighting exploit to deface sites running phpBB pre-2.0.11.

In the past I've been against the inclusion of any ACP based "new version" system for various reasons; bandwidth here and most of all privacy issues (and how some will claim we're using it to "track" installations). This situation is however leading to a change in stance on this.

However that won't help the current situation, nor I suspect will it impact a majority of the current 2.0.x userbase (who would need to upgrade to get any such funtionality!). We still get posts from users running versions of phpBB released two years ago ... it's essential that admins/owners of boards take some responsbility for the software they use. So again, if you haven't upgraded, or know of a board that hasn't, please do the right thing.