XSS for obsolete browsers fixed in phpBB 3.1.1

News and updates about this site

ImageThe first post will appear on the home page too.
User avatar
Juanm
Site developer
Site developer
Posts: 1084
Joined: Thursday March 25th, 2004 21h45:21
Location: Behind YOU

XSS for obsolete browsers fixed in phpBB 3.1.1

Postby Juanm » Sunday November 2nd, 2014 05h19:09

naderman @ phpbb.com wrote:Today, we are making available phpBB 3.1.1 in order to address a minor vulnerability as well as several usability issues that have been brought to our attention. If you installed phpBB 3.1.0, please update to 3.1.1.

Firstly, despite our best efforts and a full security audit of the 3.1 codebase by SektionEins, Dingjie Yang of Qualys, Inc. discovered an XSS vulnerability that may be utilized against users of older browsers. Our tests indicate that this does not seem to affect major browsers released after 2009, making all browsers officially supported by phpBB 3.1 immune and around 99.9% of phpBB.com visitors unaffected. Nevertheless, we are not taking any chances and urge everyone to update. Thanks to Mr. Yang for bringing this to our attention.

Secondly, we are removing the "Send a copy of this email to yourself" feature from the contact page for guests to avoid it being used for sending undesired emails from the board.

Lastly, we are fixing several usability issues that were preventing some users from having a smooth experience while updating from 3.0 to 3.1. The notable ones are:

  • If a user's selected style no longer exists, attempt to reset to an existing style.
  • Fix auth provider errors for forums that migrated from other forum software.
  • Improve and correct update instructions and documentation
.

Full announcement: https://www.phpbb.com/community/viewtop ... &t=2270766

Info and download: http://www.phpbb.com/downloads/


Return to “Tech Covo news”

Who is online

Users browsing this forum: Bing [Bot], CommonCrawl [Bot] and 0 guests