phpBB upgrade to 2.09

[darlin]

For all phpBB users, phpBB upgraded to version 2.09 to address several vulnerabilities and general fixes.

What has changed in this release?

This changelog is included with all archives:



Fixed one vulnerability in admin_board.php - Xore

Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski

Fixed injection vulnerabilities possible with linked avatars

Implemented unsetting globalised variables

Limited confirm switch to POST variable in posting

Changed IP code in common.php to prevent IP spoofing

Updated visual confirmation mod [pre-edited files]

Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45

Added the ability to link to https/ftps sites using the img bbcode tag

Fixed user online information in admin/index.php

Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman

Fixed use of non-existing result variable in modcp (poster_id instead of user_id)

Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind

Fixed problem with SID not delivered to next page in groupcp.php

[waferdog]

Thanks for the info.

Have you upgraded before? Which method do you use? Specifically, do you have mods installed?

I have a lightly modded 2.0.6 board. I have been hesitant to upgrade up to this point due to the mods. Any experiences? Any advice?

[darlin]

Thanks for the info.

Have you upgraded before? Which method do you use? Specifically, do you have mods installed?

I have a lightly modded 2.0.6 board. I have been hesitant to upgrade up to this point due to the mods. Any experiences? Any advice?

I use the changed file package. After I unzip, I find my version, for example 2.06_to_2.09.zip, and I unzip it to a folder I created on my PC. Also, when you first unzip the changed file package, there will be 4 folders: cache, contrib, docs and install. You will want to upload those folders, and overwrite the exsiting ones.
*Note* Do not delete your config.php file.

You'll want to open each of the folders that is in the zip file, 2.06 _to_2.09 directory, and select all the files, and upload those files to the corresponding directory on your server, since all files did not change, the folders only consist of the changed files. After you finish uploading all of the changed files, you will need to navigate to your forum, and add this to the end of the url: install/update_to_209.php. This will upgrade your forum.


If you have any mods, some may be gone after the upgrade, but if you have any mods that you had to create tables for, the tables will still be there. The only thing you will need to do is just mod the files again and upload them.

Just take your time getting the mods added back. It shouldn't take that long, but don't get in rush.

[waferdog]

Well, I have been thinking of using the patch upgrade method, as that seems designed for folk with mods, but of course that is a new process for me.

I have also had the thought of waiting for phpBB 2.2 to come out and upgrade then.

One of these I will make a decision.

[darlin]

Well, I have been thinking of using the patch upgrade method, as that seems designed for folk with mods, but of course that is a new process for me.

I have also had the thought of waiting for phpBB 2.2 to come out and upgrade then.

One of these I will make a decision.

If the upgrade didn't consist of fixes for vulnerabilities, I'd wait too, but since there's a few on there that concern me, I would upgrade.