Software update: phpBB 2.0.9

On the site of phpBB we find version 2.0.9 of this forum software. As the name implies, phpBB is written in PHP and can use MySQL, PostgreSQL, Microsoft SQL Server 2000 or Access to store data. According to the announcement this version is the last of the 2.0.x branch, unless serious problems are discovered. Meanwhile, the team continues to work on version 2.2.0. The changelog announces the following changes:

• Fixed one vulnerability in admin_board.php – Xore
• Added checking for proper session id characters to sessions and viewtopic to prevent injections – Bartlomiej Korupczynski
• Fixed injection vulnerabilities possible with linked avatars
• Implemented unsetting globalized variables
• Limited confirm switch to POST variable in posting
• Changed IP code in common.php to prevent IP spoofing
• Updated visual confirmation mod [pre-edited files]
• Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] – spotted by R45
• Added the ability to link to https/ftps sites using the img bbcode tag
• Fixed user online information in admin/index.php
• Fixed getting group moderator in groupcp.php if running oracle backend – spotted by pakman
• Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
• Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled – Matthew C. Kavanagh, Janek Vind
• Fixed problem with SID not delivered to next page in groupcp.php