Today, we are publishing phpBB 3.1.2 in order to address over 30 discovered issues since the release of 3.1.0: a number of improvements as well as two minor security vulnerabilities that we identified ourselves. Please update your phpBB 3.1 installation as soon as possible.
We resolved problems with redirects to incorrect URLs following confirmation screens that we introduced with the security fix in 3.1.1. A large number of the bug fixes and improvements relate to the update process from phpBB 3.0 Olympus to 3.1 Ascraeus and we are confident that the process now works more smoothly for anyone looking to update.
Through specifically crafted requests with an XMLHttpRequest header it was possible to trigger an infinite loop in a phpBB routine which may end up consuming a large amount of resources on a server running phpBB 3.1.1. Further, once you installed an extension, its authors were able to load additional HTML in the extensions administration interface through the version check file which would only be exploitable by malicious extension authors. Independent of this particular problem we recommend you only install extensions made available in the extension database on http://www.phpbb.com
as they go through a security audit by the extensions team before they are published.
The packages can be downloaded from our downloads page
If you have any questions or comments, we'll be happy to address them in the discussion topic
- The phpBB Team