Opdatering af forum software Emnet er løst

Kan vi gøre det bedre? Her kan du give dit input.
Besvar
Brugeravatar
Carsten S
Site Admin
Indlæg: 1273
Tilmeldt: ons 8. feb 2017 20:33
Geografisk sted: 8653 Them
Diagbox: Ja
Version: 8.xx
Kontakt:

Opdatering af forum software

Ulæst indlæg af Carsten S » søn 29. dec 2019 07:51

Igen igen - Ca. 20 minutters nedetid, og vi er på version 3.2.8. :auto-driving:

Det er primært sikkerhedshuller der er blevet lukket;
This version is a maintenance and security release of the 3.2.x branch which fixes three security issues, introduces further hardening, and resolves various issues reported in previous versions.
Previous versions of phpBB did not properly enforce form tokens on two seperate pages which could have been used to trick users into carrying out unwanted actions. We’d like to thank kevinoclam (via HackerOne) and Yuval Kanarenstein of SecuriTeam Secure Disclosure for their report and responsible disclosure. The issues have been assigned CVE-2019-16107 and CVE-2019-13376 respectively.
In addition to this, improper validation of BBCode parameters allowed modifying the style attribute and injecting arbitrary CSS into the page. We’d like to thank Hanno Böck for his report and responsible disclosure. The issue has been assigned CVE-2019-16108.

For further hardening phpBB against potential attacks, we have integrated the Referrer-Policy header and disabled the MySQLi local infile setting. The Referrer-Policy header will prevent sending any kind of referrer information to less secure destinations or third party sites while disabling the MySQLi local infile setting will prevent MySQL servers from potentially requesting local files from the client side. These changes were introduced based on input received from Akash Methani and LoRexxar @ knownsec 404Team respectively.

The fixed issues include, among others, multiple issues with OAuth logins, improved login form token check that should now work in all templates, restoring the ability to restore database backups, and support for newer TLS versions for SMTP connections on the latest PHP versions.
Searching for users by their last visit time has been modified to prevent potentially unwanted results from showing up.
2001 Citroën C5 V6 Aut.
Diagbox V8.xx, V9.xx original, VCDS, Ford/Mazda IDS, Volvo VIDA, Actia MultiDiag 2018.

Besvar