A security issue was introduced with phpBB 3.07 which allowed users to bypass permission settings if any of the following conditions were met:
<ul>
<li>Feeds are enabled</li>
<li>Any of the posts or topics feeds are enabled</li>
<li>The unauthorised user – or one of the groups they are a member of – have forum permissions set on a private forum</li>
<li>If you have excluded a forum from the list of forums that provide feeds, it is unaffected</li>
</ul>
The full announcement:
<blockquote>
We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn't noticed during testing and has only surfaced a week after the release of 3.0.7.
We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it is of critical importance to update to 3.0.7-PL1.
</blockquote>
You can do so by downloading the latest release from <a href="http://www.phpbb.com/downloads/">their website</a>.

phpBB gets update to counter security hole caused by introduction of feeds

mike-johnston company logo

mike-johnston

mike-johnston Profile

A security issue was introduced with phpBB 3.07 which allowed users to bypass permission settings if any of the following conditions were met: 
 
Feeds are enabled
Any of the posts or topics feeds are enabled
The unauthorised user – or one of the groups they are a member of – have forum permissions set on a private forum
If you have excluded a foru...