As with previous releases three different packages are available:
- Full Package
Contains entire phpBB2 source and English language package - Changed Files Only
Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release - Patch Files
Contains patch compatible patches from the previous versions of phpBB.
Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.
Note to 2.0.3 users intending to use the patch file version
Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.
We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.9.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.
To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source.
What has changed in this release?
This changelog is included with all archives:
- Fixed one vulnerability in admin_board.php - Xore
- Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
- Fixed injection vulnerabilities possible with linked avatars
- Implemented unsetting globalised variables
- Limited confirm switch to POST variable in posting
- Changed IP code in common.php to prevent IP spoofing
- Updated visual confirmation mod [pre-edited files]
- Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
- Added the ability to link to https/ftps sites using the img bbcode tag
- Fixed user online information in admin/index.php
- Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
- Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
- Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
- Fixed problem with SID not delivered to next page in groupcp.php
We urge all users to update promptly to this new release.
If you are still having troubles on reading the documentation provided, please refer to the Support Forum and use the Support Request Template.
For those with a lot of Mods installed a Code Changes Mod will be available very soon.