2.0.12 主要修正了 2.0.11 的安全性問題, 包括 SQL injection .
( phpBB 怎麼好像還是沒完全跳脫這個地雷呀?!
2.0.12 跟 2.0.11 的變動如下 ( 引用自 phpBB 官方公告 ) :
- Added confirm table to admin_db_utilities.php
- Prevented full path display on critical messages
- Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug – AnthraX101
- Added exclude list to unsetting globals (if register_globals is on) – SpoofedExistence
- Fixed arbitrary file disclosure vulnerability in avatar handling functions – AnthraX101
- Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
- Removed version number from powered by line
- Merged database update files to update_to_latest.php file
- Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101″s discovery)
- Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug – matrix_killer
不過官方丟到 SourceForge 上的檔案好像都是壞的, 竹貓星球 則是貼出了他們自己的 mirror (引用自 [公告] phpBB 2.0.12 正式釋出(安全性更新) ) :