A few days after the release of phpBB 3.0.7, phpBB released 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, the issue wasn’t noticed during testing and has only surfaced a week after the release of 3.0.7.

phpBB advices to all who already have updated to 3.0.7 that it is of critical importance to update to 3.0.7-PL1.

A critical bug the permission handling for feeds in 3.0.7 makes it possible for users to bypass permission settings under the following circumstances:

• Feeds are enabled
• Any of the posts or topics feeds are enabled
• The unauthorised user – or one of the groups they are a member of – have forum permissions set on a private forum
• If user has excluded a forum from the list of forums that provide feeds, it is unaffected

phpBB recommends the use of a regular update routine over manually editing files. phpBB board will not recognize the update if the board was edited manually.

Related posts:

1. phpBB 3.0.7 released
2. phpBB Unified MOD Install Library (UMIL) 1.0.2 Released
3. eFront Released v3.5.5 Patch To Fix Security Issue
4. phpBB released Support Toolkit 1.0.0
5. e107 Security Update 0.7.20 Released

Tags: Internet forum Bulletin board BBS, phpBB