Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: phpBB 2.0.22 - upgrade time SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
phpBB 2.0.22 - upgrade time
phpBB had an early X-mas gift in the form of a release of phpBB 2.0.22. The release fixes a number of security issues as well as functional issues. The security issues can be summarized as:
  • Check for the avatar upload directory reinforced
  • Changes to the criteria for "bad" redirection targets
  • Fixed a non-persistent XSS issue in private messaging
  • Fixing possible negative start parameter
  • Added session checks to various forms
Considering the past exploitation of phpBB vulnerabilites, it might be best not to postpone this upgrade till after the holidays and get to it now.

Don't forget to upgrade both the files and run the script as well as applying the patch to the subSilver template in any derived template you might have.

--
Swa Frantzen -- Section 66
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!