phpBB 2.0.15 released !

先貼 2.0.13 跟 2.0.14 的變動 :

  • Hardened author and keyword search a bit to not allow very server intensive searches
  • Fixed full path disclosure in bad word parsing
  • Resetting complete userdata array in session code if authentication fails
  • Fixed bug in moderator control panel where certain parameters could lead to an “error creating new session” sql error
  • Fixed bug in session code where empty page ids could lead to an “error creating new session” sql error
  • Fixed html handling in signatures if html is turned off globally
  • Fixed install.php problem with PHP5 register_long_arrays option turned off
  • Fixed potential issues with styling system
  • Added correct class to login_body template file
  • Removed file db/oracle.php from package
  • Removed version number from message body page in /admin (if user is not an admin) – mikelbeck
  • Fixed case-sensitivity issues in postgres7.php – R45

2.0.15 修正了安全性問題, includes/bbcode.php 的這段 :

   global $lang, $bbcode_tpl;

下面加進這行 :

$text = preg_replace("#(script|about|applet|activex|chrome):#is", "\1:", $text);

另外是這段 :

function make_clickable($text)

下面加進這行 :

$text = preg_replace("#(script|about|applet|activex|chrome):#is", "\1:", $text);

所以總共有這些變動 :

  • Fixed moderator status removal in groupcp.php
  • Removed newlines after ?> on some files – Thoul
  • Added admin re-authentication (admin needs to login seperatly to access the ACP) – backported from Olympus
  • Fixed vulnerability in url/bbcode handling functions – PapaDos and Paul/Zhen-Xjell from CastleCops
  • Fixed issue in admin/admin_forums.php
  • Suppressed warning message for fsockopen in /includes/smtp.php – Thoul
  • Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) – Exy
  • Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
  • Updated the readme file
  • Added one new language variable
  • Added general error if accessing profile for a non-existent user
  • Changed session id generation to be more unique – Henno Joosep
  • Fixed bug in highlight code to escape characters correctly
  • Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
  • Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
  • Fixed bypassing of validate_username on registration – Yen
  • Empty url/img bbcodes no longer get parsed

竹貓星球 也有這兩篇公告 :
[2005/04/25] phpBB 2.0.14 安全性修正版(包含更新檔)
[2005/05/08] phpBB 2.0.15 安全性修正版本