We resolved problems with redirects to incorrect URLs following confirmation screens that we introduced with the security fix in 3.1.1. A large number of the bug fixes and improvements relate to the update process from phpBB 3.0 Olympus to 3.1 Ascraeus and we are confident that the process now works more smoothly for anyone looking to update.
Through specifically crafted requests with an XMLHttpRequest header it was possible to trigger an infinite loop in a phpBB routine which may end up consuming a large amount of resources on a server running phpBB 3.1.1. Further, once you installed an extension, its authors were able to load additional HTML in the extensions administration interface through the version check file which would only be exploitable by malicious extension authors. Independent of this particular problem we recommend you only install extensions made available in the extension database on http://www.phpbb.com as they go through a security audit by the extensions team before they are published.
The packages can be downloaded from our downloads page.
If you have any questions or comments, we'll be happy to address them in the discussion topic
- The phpBB Team
Release Highlights
New Features
- Events - More events have been added to the template and the php core
- @vendor_extname for INCLUDECSS - CSS files can now be included directly from a specific extension
- confirm_box() does not work - The security fix of 3.1.1 broke the URL generation for confirm boxes which broke quite a lot of features.
- Update does not finish - Fixed a bug that kept the migrator caught in a loop calculating dependencies
- Ajax request and IE - Ajax requests were cached in IE causing move up/down in the ACP to not work multiple times.