Software update: phpBB 2.0.12

The phpBB program is a powerful, scalable and fully customizable forum package with a user-friendly interface and effective administration functions. The package is being developed in the PHP language and offers support for MySQL, MS-SQL, PostgreSQL and Access/ODBC databases for storing the data. Recently, version 2.0.12 has been released by the phpBB Group which fixes a series of security vulnerabilities. The release notes look like this:

phpBB Group are pleased to announce the release of phpBB 2.0.12 the “Horray for Furrywood” release. This release addresses a number of bugs and a couple of potential exploits. It also adds a new feature in the form of an ACP based version checker (maintainers of language packages please take note of the need for the additional localized string!).

One of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users, as always, to upgrade to this release as soon as possible. Mostly this release is concerned with eliminating disclosures of information which while useful in debug situations may allow third parties to gain information which could be used to do harm via unknown or unfixed exploits in this or other applications.

What has changed in this release?

  • Added confirm table to admin_db_utilities.php
  • Prevented full path display on critical messages
  • Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug
  • Added exclude list to unsetting globals (if register_globals is on)
  • Fixed arbitrary file disclosure vulnerability in avatar handling functions
  • Fixed arbitrary file unlink vulnerability in avatar handling functions
  • Removed version number from powered by line
  • Merged database update files to update_to_latest.php file
  • Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug
  • Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug

Version number 2.0.12
Website phpBB
License type GPL