phpBB 3.3.16 Release - Please update

[Kygo]

Greetings everyone,

We are pleased to announce the release of phpBB 3.3.16 “Bertie in scrubs”. This version is a maintenance and security release of the 3.3.x branch which fixes three security issues, introduces a number of improvements aimed at enhancing the user experience and overall stability of the software and resolves some issues noticed in previous releases.

In previous versions, phpBB has been relying on information from the webserver to build the password reset link URL. Depending on the phpBB and server configuration these might not be properly filtered which could result in attacker controlled URLs being sent as password reset email URL. We’d like to thank Seong Hun Jeong (HunSec) for reporting this issue to us on HackerOne.

Furthermore, improper access checks when quoting posts in private messages allowed users access to posts that are marked as soft-deleted or unapproved even if those are not normally visible to the respective users. Another issue with improper form key checks in the report post functionality was noticed, which could potentially be used to submit reports on behalf of a user without the user’s consent or intention. We’d like to thank the GitHub Security Lab Team for reporting these two issues to us.

In addition to these, an improper check while marking board notifications read was discovered. This could potentially be used to alter the read state of board notifications for other users. We’d like to thank Liao Shuang for reporting this issue to us.

Additional hardening for downloading attachments was added with improved handling of non-rasterized images to prevent possible XSS attacks on misconfigured web servers.

The improvements in phpBB 3.3.16 include the reintroduction of authentication for RSS/Atom feeds as well as adding the ability to restart the installer, e.g. in case of issues during the install process.

Notable bug fixes in this release are additional fixes for displaying posts in ascending order that could have resulted in not chronological order, issues with reverting some migrations, and a potential fatal error when downloading files with a specific byte range. Additionally, the WHOIS lookup requests stopped returning details such as country or provider. With the adjustments phpBB is now compatible with the current state of ARIN/RIPE services and will return these details again.


The full list of changes is available in the changelog file within the docs folder contained in the release package. You can find the key highlights of this release below and a list of all issues fixed on our tracker at https://tracker.phpbb.com/issues/?filter=16890

The packages can be downloaded from our downloads page.

The development team thanks everyone who contributed code to this release: Matt Friedman, rxu, Kailey M. Snay, battye, Daniel James, Christian Schnegelberger, LukeWCS, Neo-CTC, IdfbAn, Patrick Webster, Robert Korulczyk, cabot

If you have any questions or comments, we'll be happy to address them in the discussion topic.

- The phpBB Team

[Kygo]

Release highlights
Security Issues
Password Reset Link Poisoning: SECURITY-285
IDOR when composing PMs: SECURITY-286
CSRF on report submission: SECURITY-287
Cross-User Notification Read State Manipulation: SECURITY-290
Notable Improvements
Reintroduction of authentication for feeds: https://tracker.phpbb.com/browse/PHPBB-15085
Restart link in the installer: https://tracker.phpbb.com/browse/PHPBB-15007
Additional hardening against non-rasterized image uploads: SECURITY-289
Notable Bugfixes
Ascending posts pagination: https://tracker.phpbb.com/browse/PHPBB-17491
Issues with reverting migrations: PHPBB-17533
Fatal error when downloading file with specific byte range: PHPBB-17580
Issues with Whois lookup due to ARIN/RIPE changes: PHPBB-17477

[Kygo]

Event changes

PHP Events
core.memberlist_modify_memberrow
Placement: memberlist.php
Arguments: memberrow, row, user_id
Added in Release: 3.3.16-RC1
Explanation: Modify the memberrow data before template variables are assigned.

Template Events
ucp_pm_viewmessage_message_content_before
Prosilver Placement: ucp_pm_viewmessage.html
Added in Release: 3.3.16-RC1
Explanation: Add content before the private message text

ACP Template Events
acp_forums_cat_options_append
Placement: acp_forums.html
Added in Release: 3.3.16-RC1
Explanation: Add additional settings to a forum type 'category' within 'General forum settings' fieldset
acp_forums_cat_options_prepend
Placement: acp_forums.html
Added in Release: 3.3.16-RC1
Explanation: Add additional settings to a forum type 'category' within 'General forum settings' fieldset
acp_forums_link_options_append
Placement: acp_forums.html
Added in Release: 3.3.16-RC1
Explanation: Add additional settings to a forum type 'link' within 'General forum settings' fieldset
acp_forums_link_options_prepend
Placement: acp_forums.html
Added in Release: 3.3.16-RC1
Explanation: Add additional settings to a forum type 'link' within 'General forum settings' fieldset