This is a non-exhaustive (but still near complete) changelog for phpBB 2.0.x including beta and release candidate versions. Our thanks to all those people who've contributed bug reports and code fixes.
l.i. Changes since 2.0.15
Fixed critical issue with highlighting - Discovered and fix provided by Ron van Daal
Url descriptions able to be wrapped over more than one line again
Fixed bug with eAccelerator in admin_ug_auth.php
Check new_forum_id for existence in modcp.php - alessnet
Prevent uploading avatars with no dimensions - Xpert
Fixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley
Fixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set
l.ii. Changes since 2.0.14
Fixed moderator status removal in groupcp.php
Removed newlines after ?> on some files - Thoul
Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
Fixed issue in admin/admin_forums.php
Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
Updated the readme file
Added one new language variable
Added general error if accessing profile for a non-existent user
Changed session id generation to be more unique - Henno Joosep
Fixed bug in highlight code to escape characters correctly
Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
Fixed bypassing of validate_username on registration - Yen
Empty url/img bbcodes no longer get parsed
l.iii. Changes since 2.0.13
Hardened author and keyword search a bit to not allow very server intensive searches
Fixed full path disclosure in bad word parsing
Resetting complete userdata array in session code if authentication fails
Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
Fixed html handling in signatures if html is turned off globally
Fixed install.php problem with PHP5 register_long_arrays option turned off
Fixed potential issues with styling system
Added correct class to login_body template file
Removed file db/oracle.php from package
Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
Fixed case-sensitivity issues in postgres7.php - R45
l.iv. Changes since 2.0.12
Ommitted preg_replace warning in viewtopic due to improper working of preg_quote in PHP - originally reported by matrix_killer, fix submitted by another party
Fixed high severity issue in session handling allowing everyone gaining administrator rights. Please update as soon as possible.
Minimum requirements raised to PHP 4.0.3 or above due to fixing vulnerability issues breaking PHP3 compatibility.
l.v. Changes since 2.0.11
Added confirm table to admin_db_utilities.php
Prevented full path display on critical messages
Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
Merged database update files to update_to_latest.php file
Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer
l.vi. Changes since 2.0.10
Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible)
Fixed unsetting global vars - Matt Kavanagh
Fixed XSS vulnerability in username handling - AnthraX101
Fixed not confirmed sql injection in username handling - warmth
Added check for empty topic id in topic_review function
Added visual confirmation mod to code base
l.vii. Changes since 2.0.9
Fixed deleting of styles in admin_styles.php
Fixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
Added code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at http://www.phpbb.com.
Fixed bug in admin_board.php for board settings having single quotes in it
Fixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
Fixed forum jumpbox propagating session id in moderator control pages
Added check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
Fixed visual confirmation code. The image was not created due to a wrong regular expression.
l.viii. Changes since 2.0.8
Fixed one vulnerability in admin_board.php - Xore
Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
Fixed injection vulnerabilities possible with linked avatars
Implemented unsetting globalised variables
Limited confirm switch to POST variable in posting
Changed IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
Updated visual confirmation mod [pre-edited files]
Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
Added the ability to link to https/ftps sites using the img bbcode tag
Fixed user online information in admin/index.php
Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
Fixed problem with SID not delivered to next page in groupcp.php
l.ix. Changes since 2.0.7
Fixed several vulnerabilities in admin pages
Fixed sid checking code in admin/pagestart.php
Fixed injection vulnerabilities possible with the img bbcode tag
Limited allowed images in img bbcode tag to jpg, jpeg, gif and png
Fixed redirect problems - 2.0.7a
Fixed sql injection vulnerability in search - 2.0.7a
Fixed sql injection vulnerability in privmsg - 2.0.8a
1.x. Changes since 2.0.6
Fixed several vulnerabilities in modcp - Robert Lavierck
Changed whois lookup address within admin index
Fixed potential vulnerability in viewtopic postorder - 2.0.6d
Updates to cope with Zend Optimizer 2.5 problems - 2.0.6d - jetset
Force specialcharing of redirect variable in login - Pit
Fixed potential vulnerability in viewtopic postdays - GulfTech Security Research
Fixed potential vulnerability in viewforum topicdays - GulfTech Security Research
Fixed potential vulnerability in modcp
Fixed potential vulnerability in avatar gallery
1.xi. Changes since 2.0.5
Fixed various email issues
Fixed registration email bug with Administrator Confirmation used
Fixed mass emailer
Fixed long post time issue
Fixed bug with usernames containing single quotes
Fixed word list bug - Word boundaries were not considered
Fixed vulnerability in style admin
Fixed sql injection vulnerability in viewtopic
Fixed vulnerability allowing server side variable access in search - tendor
Fix problems with posts being truncated if containing < and > characters
Prevent URL, BBCode and most smiley parseing in [code][/code]
Fix problems with use of certain reserved chars in word censor list
Fix default search useage to be as described (was doing AND by default)
Fix various avatar issues with profile, gallery and viewtopic
Enable safe mode support for uploading avatars
Fix broken modcp IP view issue
Fix potential session_id re-write vulnerability
Finish localisation of days and months (AM/PM are not and will not be localised in 2.0)
Remove link to external subSilver stylesheet from default subSilver templates
Handle TRANSACTIONS correctly in MySQL 3.x (by returning correct responses)
Fix checkbox resetting problem while previewing posts
Fix a login redirect issue
Remove some additional unused fields during upgrade
Fix (hopefully) remaining ICQ overlay issue with view profile in subSilver
1.xix. Changes since RC-2
Fixed infamous install parse error
Major update of posting and related search functions (fixing various issues and increasing speed)
Fixed display of author and last poster names when both are different guest users
Fixed upgrade stall issues (hopefully!) and improved output
Fixed highlighting code for viewtopic and search
Reduced size of several files and functions
Moved localised images to sub-directories
Improved user feedback of disallowed usernames
Fixed various MSSQL bugs
Fixed installation of MSSQL/MSSQL-ODBC
Fixed security issue with upgrade.php
Finished implemention of various additional features
Fixed various user, group and forum permissions problems
Fixed issues with BBCode [ and ] (hopefully!)
Fixed autologin problems with MS IIS
Hopefully fixed problems with URIs in emails on some server configs
Fixed 'blank' profile and DB utilities problems on submit
Fixed incorrect language being used in email subjects
Fixed issues with incorrect private message new/unread counts
Fixed various PostgreSQL related errors
Automatically forward users to login screen in more situations
AEnabled (coloured) online indication of moderators and admins
Enabled maximum online user count
Altered online user count to ignore duplicate IPs (will now underestimate rather than overestimate)
Enabled viewing of users browsing each forum
Fixed (hopefully) display of overlayed ICQ icon in Netscape using subSilver
Fixed display of guest usernames for last post and author
Hidden usergroups are now completely hidden from view
1.xx. Changes since RC-1
Fixed numerous PostgreSQL related issues
Significant updates and additions to the upgrade script
Various (missed) hard coded language strings fixed
Fixed viewforum error when no forum id specified
Fixed old constant name useage in search system
Fixed display of moved posts when viewing unanswered posts
Fixed failure of search for user and keyword when displaying as posts
Fixed PM popup notification
Fixed view more emoticon session page problem
Fixed view profile email links
Fixed display of websites in profile
Fixed backup database failure
Fixed MS Access schema error when posting topics
Fixed problem with hypenated/dotted DB names in MySQL 3.23.6+
Various other fixes and updates
1.xxi. Changes since RC-1 (pre)
Upgrade script completed for initial fully functional release
Sessions code updated
Mark read code updated and hopefully fixed
Significant changes to properly deal with \' for non-MySQL boards
mssql, msaccess and mssql-odbc DB classes re-written
Avatar issues addressed and fixed
Search (INSERT) bug using MySQL fixed
Search highlighting issues addressed
Search own/other users posts fixed
BBCode fixes for magic URIs and other issues
Template updates for subSilver
User and group permissions problems fixed
Forum management problems (deletion of forum causing category not to display) fixed
Pagination problem with groupcp fixed
Backslash issues with posting and profile fixed
Backslash issues with emails fixed
preg_quote problems fixed
User management updated with full avatar control and missing fields
Private messaging box limits fixed
Private messaging ?folder= strangeness fixed
Forum pruning code updated to cope with search system
Emoticon system in posting updated
BBCode FAQ link added to posting form
Language file updates to address concerns of translators
Various other bug fixes and updates
Note that a full list of fixed bugs can be found at the bug tracker (see section on bug reporting here)
2. Copyright and disclaimer
This application is opensource software released under the GPL. Please see source code and the Docs directory for more details. This package and its contents are Copyright 2002 phpBB Group, All Rights Reserved.