phpBB 3.1.1 Release - Please Update

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
User avatar
naderman
Consultant
Consultant
Posts: 3754
Joined: Fri Aug 01, 2003 10:06 pm
Location: Berlin, Germany
Name: Nils Adermann

phpBB 3.1.1 Release - Please Update

Post by naderman »

Today, we are making available phpBB 3.1.1 in order to address a minor vulnerability as well as several usability issues that have been brought to our attention. If you installed phpBB 3.1.0, please update to 3.1.1.

Firstly, despite our best efforts and a full security audit of the 3.1 codebase by SektionEins, Dingjie Yang of Qualys, Inc. discovered an XSS vulnerability that may be utilized against users of older browsers. Our tests indicate that this does not seem to affect major browsers released after 2009, making all browsers officially supported by phpBB 3.1 immune and around 99.9% of phpBB.com visitors unaffected. Nevertheless, we are not taking any chances and urge everyone to update. Thanks to Mr. Yang for bringing this to our attention.

Secondly, we are removing the "Send a copy of this email to yourself" feature from the contact page for guests to avoid it being used for sending undesired emails from the board.

Lastly, we are fixing several usability issues that were preventing some users from having a smooth experience while updating from 3.0 to 3.1. The notable ones are:
  • If a user's selected style no longer exists, attempt to reset to an existing style.
  • Fix auth provider errors for forums that migrated from other forum software.
  • Improve and correct update instructions and documentation.
The packages can be downloaded from our downloads page.

If you have any questions or comments, we'll be happy to address them in the discussion topic

- The phpBB Team



Release Highlights

Security Fixes
  • Cross Site Scripting via PATH_INFO in page_name variable - Fixed a cross site scripting vulnerability that allows injecting HTML into pages using the PATH_INFO via session's page_name variable.
Notable Changes
  • Custom style from 3.0.x not available after migrating to 3.1.x - If the default style is missing after the upgrade to 3.1, attempt to handle this gracefully by resetting to an available style.
  • Anonymous users can CC themselves on emails sent to admin via contact form - The option to send a copy to the sender has been removed from email forms displayed to guest users who are not registered.
Notable Bug Fixes
  • Password issues for converted boards after upgrade - Fix auth provider errors for forums that migrated from other forum software.
I appreciate gifts from my Amazon wishlist.
naderman.de twitter: @naderman

Return to “Announcements”