Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - phpBB 2.0.22 - upgrade time InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

phpBB 2.0.22 - upgrade time

Published: 2006-12-24
Last Updated: 2006-12-24 00:06:02 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
phpBB had an early X-mas gift in the form of a release of phpBB 2.0.22. The release fixes a number of security issues as well as functional issues. The security issues can be summarized as:
  • Check for the avatar upload directory reinforced
  • Changes to the criteria for "bad" redirection targets
  • Fixed a non-persistent XSS issue in private messaging
  • Fixing possible negative start parameter
  • Added session checks to various forms
Considering the past exploitation of phpBB vulnerabilites, it might be best not to postpone this upgrade till after the holidays and get to it now.

Don't forget to upgrade both the files and run the script as well as applying the patch to the subSilver template in any derived template you might have.

--
Swa Frantzen -- Section 66
Keywords: phpBB
0 comment(s)
Diary Archives