Please note, the exploits of which we've been notified and which are addressed in 2.0.12 are in absolutely no way to blame for the loss of www.phpbb.com which we are still extremely confident was the fault of an outdated awstats and kernel.
However one of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users, as always, to upgrade to this release as soon as possible. Mostly this release is concerned with eliminating disclosures of information which while useful in debug situations may allow third parties to gain information which could be used to do harm via unknown or unfixed exploits in this or other applications.
As with previous releases three different packages are available:
- Full Package
Contains entire phpBB2 source and English language package
- Changed Files Only
Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
- Patch Files
Contains patch compatible patches from the previous versions of phpBB.
Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.
Note to 2.0.3 users intending to use the patch file version
Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.
We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.12.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.
To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source
What has changed in this release?
The changelog (contained within this release) is as follows:
- Added confirm table to admin_db_utilities.php
- Prevented full path display on critical messages
- Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
- Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
- Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
- Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
- Removed version number from powered by line
- Merged database update files to update_to_latest.php file
- Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
- Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer