phpBB 2.0.8 released

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
Post Reply
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

phpBB 2.0.8 released

Post by Acyd Burn »

phpBB Group are pleased to announce the release of phpBB 2.0.8. This release had been made to fix a number of critical security related issues. Work continues on 2.2.0 and again we do not plan on further releases of 2.0.x except where critical issues arise.

As with previous releases three different packages are available:
  • Full Package
    Contains entire phpBB2 source and English language package
  • Changed Files Only
    Contains only those files changed from previous versions of phpBB. Please note this archive contains changed files for each previous release
  • Patch Files
    Contains patch compatible patches from the previous versions of phpBB.
Select whichever package is most suitable for you.

Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation or updates!.

Note to 2.0.3 users intending to use the patch file version

Users of 2.0.3 intending to use the patch version may (but not necessarily will) need to run fixfiles.sh (found in the contrib/ directory with the downloaded archive) before patching.

We recommend that all 2.0.3 users do a "dry run" patch first to see whether this you need to use this fix. To do this append --dry-run to the patch command, e.g. patch -cl -p1 --dry-run < phpBB-2.0.3_to_2.0.8.patch. This will prevent any permanent changes being made to your installation. If you experience numerous (literally dozens and dozens) of hunk failed messages this applies to you.

To correct this problem go to your phpBB root directory, copy the fixfiles.sh to this location, chmod u+x fixfiles.sh and type ./fixfiles.sh. This will strip windows style carriage returns present in the 2.0.3 source. A new fixfiles.sh script has been put into the contrib folder to be "fixed" too.

What has changed in this release?

A comprehensive changelog is included with all archives. This edition is centred on fixing a number of critical security issues.

As with 2.0.5, 2.0.6 and 2.0.7 the visual confirmation and the template caching Mods are included in the contrib directory.

We urge all users to update promptly to this new release.
If you are still having troubles on reading the documentation provided, please refer to the Support Forum and use the Support Request Template.



If you want to patch your 2.0.7(a) installation


If you are still using phpBB 2.0.7 or prior, please go to our Downloads Page, download the appropiate package and follow the update Instructions.

The following are the changes from 2.0.7a to 2.0.8 for manual upgrading.
A patch file for 2.0.7a to 2.0.8 is downloadeable from this location.

Manual Instructions for upgrading (Mod Format) are soon available here within the Mods Database.

  • admin/admin_forumauth.php[/color][/size]
  1. FIND - Line 105

    Code: Select all

    
    			$simple_ary = $simple_auth_ary[$HTTP_POST_VARS['simpleauth']];
    
    			for($i = 0; $i < count($simple_ary); $i++)
    			{
    				$sql .= ( ( $sql != '' ) ? ', ' : '' ) . $forum_auth_fields[$i] . ' = ' . $simple_ary[$i];
    			}
    
    			$sql = "UPDATE " . FORUMS_TABLE . " SET $sql WHERE forum_id = $forum_id";
    		}
    		else
    		{
    			for($i = 0; $i < count($forum_auth_fields); $i++)
    			{
    				$value = $HTTP_POST_VARS[$forum_auth_fields[$i]];
    
    REPLACE WITH

    Code: Select all

    
    			$simple_ary = $simple_auth_ary[intval($HTTP_POST_VARS['simpleauth'])];
    
    			for($i = 0; $i < count($simple_ary); $i++)
    			{
    				$sql .= ( ( $sql != '' ) ? ', ' : '' ) . $forum_auth_fields[$i] . ' = ' . $simple_ary[$i];
    			}
    
    			if (is_array($simple_ary))
    			{
    				$sql = "UPDATE " . FORUMS_TABLE . " SET $sql WHERE forum_id = $forum_id";
    			}
    		}
    		else
    		{
    			for($i = 0; $i < count($forum_auth_fields); $i++)
    			{
    				$value = intval($HTTP_POST_VARS[$forum_auth_fields[$i]]);
    
  • admin/admin_forums.php[/color][/size]
  1. FIND - Line 60

    Code: Select all

    
    	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  • admin/admin_groups.php[/color][/size]
  1. FIND - Line 55

    Code: Select all

    
    	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  • admin/admin_ranks.php[/color][/size]
  1. FIND - Line 43

    Code: Select all

    
    	$mode = ($HTTP_GET_VARS['mode']) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  • admin/admin_smilies.php[/color][/size]
  1. FIND - Line 62

    Code: Select all

    
    	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  2. FIND - Line 319

    Code: Select all

    
    			$smiley_id = ( !empty($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : $HTTP_GET_VARS['id'];
    
    AFTER, ADD

    Code: Select all

    
    			$smiley_id = intval($smiley_id);
    
  3. FIND - Line 340

    Code: Select all

    
    			$smiley_id = ( !empty($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : $HTTP_GET_VARS['id'];
    
    AFTER, ADD

    Code: Select all

    
    			$smiley_id = intval($smiley_id);
    
  • admin/admin_styles.php[/color][/size]
  1. FIND - Line 61

    Code: Select all

    
    	$mode = ( isset($HTTP_GET_VARS['mode']) ) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  2. FIND - Line 492

    Code: Select all

    
    				$style_id = $HTTP_GET_VARS['style_id'];
    
    REPLACE WITH

    Code: Select all

    
    				$style_id = intval($HTTP_GET_VARS['style_id']);
    
  3. FIND - Line 707

    Code: Select all

    
    				WHERE template_name = '$template_name'";
    
    REPLACE WITH

    Code: Select all

    
    				WHERE template_name = '" . str_replace("\'", "''", $template_name) . "'";
    
  • admin/admin_ug_auth.php[/color][/size]
  1. FIND - Line 60

    Code: Select all

    
    $user_id = intval($user_id);
    $group_id = intval($group_id);
    
    AFTER, ADD

    Code: Select all

    
    $adv = intval($adv);
    $mode = htmlspecialchars($mode);
    
  • admin/admin_user_ban.php[/color][/size]
  1. FIND - Line 280

    Code: Select all

    
    				$where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . $user_list[$i];
    
    REPLACE WITH

    Code: Select all

    
    				$where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . intval($user_list[$i]);
    
  2. FIND - Line 293

    Code: Select all

    
    				$where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . $ip_list[$i];
    
    REPLACE WITH

    Code: Select all

    
    				$where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . str_replace("\'", "''", $ip_list[$i]);
    
  3. FIND - Line 306

    Code: Select all

    
    				$where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . $email_list[$i];
    
    REPLACE WITH

    Code: Select all

    
    				$where_sql .= ( ( $where_sql != '' ) ? ', ' : '' ) . str_replace("\'", "''", $email_list[$i]);
    
  • admin/admin_users.php[/color][/size]
  1. FIND - Line 52

    Code: Select all

    
    	$mode = ( isset( $HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  2. FIND - Line 842

    Code: Select all

    
    				$category = $HTTP_POST_VARS['avatarcategory'];
    
    REPLACE WITH

    Code: Select all

    
    				$category = htmlspecialchars($HTTP_POST_VARS['avatarcategory']);
    
  • admin/admin_words.php[/color][/size]
  1. FIND - Line 44

    Code: Select all

    
    	$mode = ($HTTP_GET_VARS['mode']) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];
    
    AFTER, ADD

    Code: Select all

    
    	$mode = htmlspecialchars($mode);
    
  2. FIND - Line 67

    Code: Select all

    
    		$word_id = ( isset($HTTP_GET_VARS['id']) ) ? $HTTP_GET_VARS['id'] : 0;
    
    REPLACE WITH

    Code: Select all

    
    		$word_id = ( isset($HTTP_GET_VARS['id']) ) ? intval($HTTP_GET_VARS['id']) : 0;
    
  3. FIND - Line 117

    Code: Select all

    
    		$word_id = ( isset($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : 0;
    
    REPLACE WITH

    Code: Select all

    
    		$word_id = ( isset($HTTP_POST_VARS['id']) ) ? intval($HTTP_POST_VARS['id']) : 0;
    
  4. FIND - Line 154

    Code: Select all

    
    		if( isset($HTTP_POST_VARS['id']) ||  isset($HTTP_GET_VARS['id']) )
    		{
    			$word_id = ( isset($HTTP_POST_VARS['id']) ) ? $HTTP_POST_VARS['id'] : $HTTP_GET_VARS['id'];
    
    AFTER, ADD

    Code: Select all

    
    			$word_id = intval($word_id);
    
  • admin/pagestart.php[/color][/size]
  1. FIND - Line 59

    Code: Select all

    
    	redirect($url);
    
    REPLACE WITH

    Code: Select all

    
    	redirect("index.$phpEx?sid=" . $userdata['session_id']);
    
  • includes/bbcode.php[/color][/size]
  1. FIND - Line 284

    Code: Select all

    
    	$text = preg_replace("#\[img\]((ht|f)tp://)([^\r\n\t<\"]*?)\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
    
    REPLACE WITH

    Code: Select all

    
    	$text = preg_replace("#\[img\]((ht|f)tp://)([^ \?&=\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
    
  • includes/functions_search.php[/color][/size]
  1. FIND - Line 201

    Code: Select all

    
    						$value_sql .= ( ( $value_sql != '' ) ? ', ' : '' ) . '(\'' . $word[$i] . '\', 0)';
    						break;
    					case 'mssql':
    
    AFTER, ADD

    Code: Select all

    
    					case 'mssql-odbc':
    
  2. FIND - Line 226

    Code: Select all

    
    						VALUES $value_sql"; 
    					break;
    				case 'mssql':
    
    AFTER, ADD

    Code: Select all

    
    				case 'mssql-odbc':
    
  • includes/usercp_register.php[/color][/size]
  1. FIND - Line 180

    Code: Select all

    
    	$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );
    
    REPLACE WITH

    Code: Select all

    
    	$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? htmlspecialchars($HTTP_POST_VARS['avatarselect']) : ( ( isset($HTTP_POST_VARS['avatarlocal'])  ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );
    
Post Reply

Return to “Announcements”