Remember always check this forum (and the downloads page) when you come across a "new" vulnerability or other issue. Please ensure you update accordingly. In doing so you are protecting yourself from all known issues and saving us time in fielding questions we've already answered
I really want to write all bad words that i know as reply!
But i think that wont help.
Ok - here is the way if someone want to be informed:
- first noone want to check the forum or the news so you search for a mailing list
- at phpbb.com: nothing
- at sourceforge.net: nice there is one:
but there are only two test messages from 2000!
- if you are lucky you find the monitor link on the main page (the letter icon)
Ok but i think only 1% know this.
Also it is very intersting that you can "fake" the release date at sourceforge project summary: November 23, 2003!
But one other worse problem ist: most peope just check the version and see - 2.06 - and think - yeah! I have the newest.
Someone added the extension c to the newest version - i hope that appear at the bottom of eacht page if i would install it.
Some time ago i requested a news-mod.
http://www.phpbb.com/phpBB/viewtopic.ph ... highlight=
But it require allow_url_fopen on and if someone have also register_gloabls on it is the worsest security hole ever.
Ok i will also add why I am so angry:
I am a administrator (of a little server) and i know that I have to update all forums (5 or so) on my server myself because noone care for security udates. I know that is everywhere a problem because I have already send a lot of emails to other forum-administrators because their forums are insecure.
-> about 1,960,000 hits
Most people do not update so there are at least 10% insecure (ok I really think 40% or more - I estimatie a half million).
There are at least 3 linux-local user->root security holes from the last few month.
Ok have a nice day.
Sorry for my bad english.