Today we’re announcing the release of phpBB 3.2.8. This release is dedicated to the memory of Maria Wilhelmina Theodora 'Marian' Verhoog-Wienk [08 October 1958 - 18 September 2019], who you may know as marian0810. Rust in vrede, Marian.
This version is a maintenance and security release of the 3.2.x branch which fixes three security issues, introduces further hardening, and resolves various issues reported in previous versions.
Previous versions of phpBB did not properly enforce form tokens on two seperate pages which could have been used to trick users into carrying out unwanted actions. We’d like to thank kevinoclam (via HackerOne) and Yuval Kanarenstein of SecuriTeam Secure Disclosure for their report and responsible disclosure. The issues have been assigned CVE-2019-16107 and CVE-2019-13376 respectively.
In addition to this, improper validation of BBCode parameters allowed modifying the style attribute and injecting arbitrary CSS into the page. We’d like to thank Hanno Böck for his report and responsible disclosure. The issue has been assigned CVE-2019-16108.
For further hardening phpBB against potential attacks, we have integrated the Referrer-Policy header and disabled the MySQLi local infile setting. The Referrer-Policy header will prevent sending any kind of referrer information to less secure destinations or third party sites while disabling the MySQLi local infile setting will prevent MySQL servers from potentially requesting local files from the client side. These changes were introduced based on input received from Akash Methani and LoRexxar @ knownsec 404Team respectively.
The fixed issues include, among others, multiple issues with OAuth logins, improved login form token check that should now work in all templates, restoring the ability to restore database backups, and support for newer TLS versions for SMTP connections on the latest PHP versions.
Searching for users by their last visit time has been modified to prevent potentially unwanted results from showing up.
In order to help the support team in assessing issues in phpBB, we have now disabled the uninstallation of prosilver. Prosilver can however still be deactivated.
The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.8
and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15090
The packages can be downloaded from our downloads page.
The development team thanks everyone who contributed code to this release: 3D-I, Dark❶, Jakub Senko, mrgoldy, rxu, Christian Schnegelberger, EA117, kasimi, JoshyPHP, Casey Peel, Nekstati, Nuno Lopes, cclauss, espipj, kinerity
If you have any questions or comments, we'll be happy to address them in the discussion topic.
- The phpBB Team