Firstly, despite our best efforts and a full security audit of the 3.1 codebase by SektionEins, Dingjie Yang of Qualys, Inc. discovered an XSS vulnerability that may be utilized against users of older browsers. Our tests indicate that this does not seem to affect major browsers released after 2009, making all browsers officially supported by phpBB 3.1 immune and around 99.9% of phpBB.com visitors unaffected. Nevertheless, we are not taking any chances and urge everyone to update. Thanks to Mr. Yang for bringing this to our attention.
Secondly, we are removing the "Send a copy of this email to yourself" feature from the contact page for guests to avoid it being used for sending undesired emails from the board.
Lastly, we are fixing several usability issues that were preventing some users from having a smooth experience while updating from 3.0 to 3.1. The notable ones are:
- If a user's selected style no longer exists, attempt to reset to an existing style.
- Fix auth provider errors for forums that migrated from other forum software.
- Improve and correct update instructions and documentation.
If you have any questions or comments, we'll be happy to address them in the discussion topic
- The phpBB Team
Release Highlights
Security Fixes
- Cross Site Scripting via PATH_INFO in page_name variable - Fixed a cross site scripting vulnerability that allows injecting HTML into pages using the PATH_INFO via session's page_name variable.
- Custom style from 3.0.x not available after migrating to 3.1.x - If the default style is missing after the upgrade to 3.1, attempt to handle this gracefully by resetting to an available style.
- Anonymous users can CC themselves on emails sent to admin via contact form - The option to send a copy to the sender has been removed from email forms displayed to guest users who are not registered.
- Password issues for converted boards after upgrade - Fix auth provider errors for forums that migrated from other forum software.