phpBB 3.1.2 Release - Please Update

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Get Involved
User avatar
naderman
Consultant
Consultant
Posts: 3754
Joined: Fri Aug 01, 2003 10:06 pm
Location: Berlin, Germany
Name: Nils Adermann

phpBB 3.1.2 Release - Please Update

Post by naderman »

Today, we are publishing phpBB 3.1.2 in order to address over 30 discovered issues since the release of 3.1.0: a number of improvements as well as two minor security vulnerabilities that we identified ourselves. Please update your phpBB 3.1 installation as soon as possible.

We resolved problems with redirects to incorrect URLs following confirmation screens that we introduced with the security fix in 3.1.1. A large number of the bug fixes and improvements relate to the update process from phpBB 3.0 Olympus to 3.1 Ascraeus and we are confident that the process now works more smoothly for anyone looking to update.

Through specifically crafted requests with an XMLHttpRequest header it was possible to trigger an infinite loop in a phpBB routine which may end up consuming a large amount of resources on a server running phpBB 3.1.1. Further, once you installed an extension, its authors were able to load additional HTML in the extensions administration interface through the version check file which would only be exploitable by malicious extension authors. Independent of this particular problem we recommend you only install extensions made available in the extension database on http://www.phpbb.com as they go through a security audit by the extensions team before they are published.

The packages can be downloaded from our downloads page.

If you have any questions or comments, we'll be happy to address them in the discussion topic

- The phpBB Team



Release Highlights

New Features
  • Events - More events have been added to the template and the php core
Notable Changes
  • @vendor_extname for INCLUDECSS - CSS files can now be included directly from a specific extension
Notable Bug Fixes
  • confirm_box() does not work - The security fix of 3.1.1 broke the URL generation for confirm boxes which broke quite a lot of features.
  • Update does not finish - Fixed a bug that kept the migrator caught in a loop calculating dependencies
  • Ajax request and IE - Ajax requests were cached in IE causing move up/down in the ACP to not work multiple times.
I appreciate gifts from my Amazon wishlist.
naderman.de twitter: @naderman

Return to “Announcements”