phpBB Forum Software

Greetings everyone, Today we’re announcing the release of phpBB 3.2.8. This release is dedicated to the memory of Maria Wilhelmina Theodora 'Marian' Verhoog-Wienk [08 October 1958 - 18 September 2019], who you may know as marian0810. Rust in vrede ... [More] , Marian. This version is a maintenance and security release of the 3.2.x branch which fixes three security issues, introduces further hardening, and resolves various issues reported in previous versions. Previous versions of phpBB did not properly enforce form tokens on two seperate pages which could have been used to trick users into carrying out unwanted actions. We’d like to thank kevinoclam (via HackerOne) and Yuval Kanarenstein of SecuriTeam Secure Disclosure for their report and responsible disclosure. The issues have been assigned CVE-2019-16107 and CVE-2019-13376 respectively. In addition to this, improper validation of BBCode parameters allowed modifying the style attribute and injecting arbitrary CSS into the page. We’d like to thank Hanno Böck for his report and responsible disclosure. The issue has been assigned CVE-2019-16108. For further hardening phpBB against potential attacks, we have integrated the Referrer-Policy header and disabled the MySQLi local infile setting. The Referrer-Policy header will prevent sending any kind of referrer information to less secure destinations or third party sites while disabling the MySQLi local infile setting will prevent MySQL servers from potentially requesting local files from the client side. These changes were introduced based on input received from Akash Methani and LoRexxar @ knownsec 404Team respectively. The fixed issues include, among others, multiple issues with OAuth logins, improved login form token check that should now work in all templates, restoring the ability to restore database backups, and support for newer TLS versions for SMTP connections on the latest PHP versions. Searching for users by their last visit time has been modified to prevent potentially unwanted results from showing up. In order to help the support team in assessing issues in phpBB, we have now disabled the uninstallation of prosilver. Prosilver can however still be deactivated. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.8 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=15090 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, Dark❶, Jakub Senko, mrgoldy, rxu, Christian Schnegelberger, EA117, kasimi, JoshyPHP, Casey Peel, Nekstati, Nuno Lopes, cclauss, espipj, kinerity If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.7 "Bertie’s Force Field". This version is a maintenance release of the 3.2.x branch which resolves issues reported in previous versions. The fixed issues include, among others ... [More] , issues with form token validation during login, the inability to change topic types after posting, an issue with viewing private message folders, and potentially incorrectly shortened URL links when using the [url=] BBCode. Full backwards compatibility for styles released before phpBB 3.2.6 has been introduced, which will enable logins even though these styles have not yet been updated with the latest style changes. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.7 and a list of all issues fixed on our tracker at Issues fixed in 3.2.7 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: JoshyPHP, Matt Friedman, mrgoldy, EA117 If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.6 "You Know Nothing, Bertie Snow". This version is a maintenance and security release of the 3.2.x branch which fixes two security issues, introduces further hardening, and ... [More] resolves various issues reported in previous versions. Previous versions of phpBB allowed users to run searches that might result in long execution times and load on larger boards when using the fulltext native search engine. To combat this, we have now introduced further restrictions on search queries. We’d like to thank Snover for his report and responsible disclosure. The issue has been assigned CVE-2019-9826. In addition to this, another edge case that allowed testing for the existence of files and services on the local network of the host using the remote avatar functionality was resolved. Due to the nature of the remote avatar functionality, it’s not possible to cover all potential accesses to the local network. Therefore we have decided to deactivate this feature in this update and admins will be shown a warning of the potential side effects in the Admin Control Panel if they want to re-enable it. The functionality itself will be removed in the next minor feature release. We’d like to thank Do Ha Anh of Viettel Cyber Security for his report and responsible disclosure. The hardening introduced are among others the removal of the functionality to download database backups, further validation on administrative input in the Admin Control Panel, and the addition of form tokens to the login box. Most of these changes have been introduced to reduce the potential impact of admin account compromises or rogue administrators. In our endeavours to deliver the most secure forum solution we have decided to further our reach in the security industry by joining the security platform HackerOne. Some of the security improvements in this release are already the result of running a pilot program. We’ll soon change to a public program to allow submissions from everyone and add another way to easily report security issues. Until then security issues can be reported to the Security Tracker or by emailing to security [at] phpbb.com. The fixed issues include, among others, support for cookies on domains with special chars, support for the Q&A plugin on MySQL 5.7, as well as preventing the installation of phpBB 3.2 on PHP 7.3. Full PHP 7.3 compatibility will be included in phpBB 3.3. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.6 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14992 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3D-I, mrgoldy, battye, Jakub Senko, kasimi, GanstaZ, jasonmarlin, AJ Quick, Alec, JoshyPHP, dhruveshk, rxu, Alfredo Ramos, Dark❶, Nuno Lopes If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.5 "Bertie's Secret Santa". This version is a maintenance release of the 3.2.x branch which fixes various issues reported in previous versions. The fixed issues include, among ... [More] others, a BBCode parsing regression in the generate_text_for_display() function, a missing variable cast on the ACP extensions page, as well as a fix to how the assets version gets appended to JavaScript files included via INCLUDEJS. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.5 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14890 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: 3Di, rxu, Alec, hubaishan, Dark❶, Jakub Senko, Jim Mossing Holsteyn, Vinny If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.4 "Bertie's ‘stache". This version is a maintenance and security release of the 3.2.x branch which fixes one security issue and various issues reported in previous versions. ... [More] The security issue was discovered with a new exploitation technique called Phar deserialization. An attacker with control over a founder admin account could escalate to remote code execution by abusing PHP’s default unserialization of metadata in Phar files. More information about this technique can be found here. In order to fix this issue we’ve removed the ability to define absolute paths in the Admin Control Panel. This resulted in the removal of setting the ImageMagick path, so make sure to have the GD image library available instead. A new event to generate thumbnails was added as replacement, so you’re able to write an extension that uses a different image library to generate thumbnails. We would like to thank Simon Scannell and Robin Peraglie of RIPS Technologies for their report and responsible disclosure. The issue has been assigned CVE-2018-19274. The fixed issues include, among others, compatibility issues with PHP 7.2 and issues with removing users from the newly registered user group more than once. Among the notable changes are the addition of the list-unsubscribe header to emails sent by phpBB and the ability to reset your password without entering the username. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.4 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14790 The packages can be downloaded from our downloads page. We recommend following these update instructions for updating your instance of phpBB. The development team thanks everyone who contributed code to this release: Jakub Senko, MikelAlejoBR, kasimi, Zoddo, v12mike, hubaishan, 3D-I, Matt Friedman, Kailey Truscott, Alec, Alex Miles, Andrii Afanasiev, Anssi Johansson, DSR!, Daniel, Dark❶, David Colón, Ioannis Batas, Jim Mossing Holsteyn, Serge Skripchuk, Toxyy, rxu If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

In 2007 phpBB stepped into a new era with its release of the now infamous “prosilver” theme. One decade ago we pushed the envelope of what a forum should look like, how it should function, and how we build and customise themes. This year we are announcing our plans to go where no forum has […]

Greetings everyone, We are pleased to announce the release of phpBB 3.2.3 "Bertie's long summer". This version is a maintenance release of the 3.2.x branch which fixes various issues reported in previous versions. The fixed issues include, among ... [More] others, problems when submitting posts with more than one attachment, migrations failing when updating from versions prior to phpBB 3.2.2 and PHP warnings being displayed when editing signatures in the ACP. Notable changes are the dropped support for HHVM (HipHop Virtual Machine) and more prominent links to privacy policy and the terms of use. The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release on the wiki at https://wiki.phpbb.com/Release_Highlights/3.2.3 and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=14490 The packages can be downloaded from our downloads page. The development team thanks everyone who contributed code to this release: rxu, hubaishan, JoshyPHP, Rubén Calvo, Akbar, Anssi Johansson, Daniel Mota, Daniel Sinn, FH, GerB, Zoddo, canonknipser, scootergrisen If you have any questions or comments, we'll be happy to address them in the discussion topic. - The phpBB Team [Less]

As per the previous announcement, support for phpBB 3.1.x has now ended. The support forums have been locked, but are still available in a read-only form for reference in the phpBB Archives section of this board. All download links for phpBB 3.1.x ... [More] will be removed shortly. If you still need those packages, you will be able to obtain them from SourceForge or download.phpbb.com. While support for 3.1.x will not be available, support for converting to 3.2.x will still be available. For those who receive support from an international support site, they will dictate their own support schedules and you should seek information from them. [Less]

GSoC.png Hi all, We're super excited to be participating in the Google Summer of Code program for the fifth time. The GSoC program gives students a unique opportunity to work with mentors from established open source projects over the summer ... [More] months. We had a great time taking part in 2017, 2014, 2013, and 2012. The student application deadline is coming up fast, but you still have two more days to submit or finalize a proposal! We're actively standing by to assist anyone having trouble, so please reach out to our team. The best way to do that is via IRC. A list of suggested ideas can be found here: https://www.phpbb.com/development/gsoc/ideas/ Thanks! The phpBB Team [Less]

Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation. The point of entry was a ... [More] third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack. If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload. During the course of our investigation, we were able to take steps that should render the malicious code completely inoperable. However, in the unlikely event that multiple versions of the packages exist or that something was missed, we are choosing to leave nothing to chance. As the packages were live for only three hours, we believe that a very small number of users are affected. We therefore ask that you perform the following steps so that we may render personalized assistance: If you believe that you have a malicious package, please email it to [email protected] so that we can check it against the version we obtained. We will likewise let you know if it is affected. You may also use the SHA256 checksum found on the downloads page to verify its validity. Do not use the potentially affected package. If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code. The downloads currently available on the downloads page are safe. If you have any doubts whatsoever, download a fresh copy. Our investigation is ongoing and we will provide additional information as it becomes available. Thank you, The phpBB Team ----- You may discuss this announcement in it discussion topic. [Less]