phpBB gets update to counter security hole caused by introduction of feeds

A security issue was introduced with phpBB 3.07 which allowed users to bypass permission settings if any of the following conditions were met:

  • Feeds are enabled
  • Any of the posts or topics feeds are enabled
  • The unauthorised user – or one of the groups they are a member of – have forum permissions set on a private forum
  • If you have excluded a forum from the list of forums that provide feeds, it is unaffected

The full announcement:

We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn't noticed during testing and has only surfaced a week after the release of 3.0.7.

We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it is of critical importance to update to 3.0.7-PL1.

You can do so by downloading the latest release from their website.