"One of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users to upgrade to this release as soon as possible," the phpBB Group said in its advisory. The security fixes address multiple bugs that disclose the full path to system files in phpBB, which is powered by the PHP server-side scripting language. A vulnerability reported by iDefense could, under some configurations, allow malicious users to view system files.
In December hundreds of phpBB forums were defaced by the Santy worm, which used an unpatched SQL injection exploit to spread. That incident came just days after a security flaw in PHP exposed phpBB users to possible password theft. Earlier this month, the phpBB web site was compromised, leaving the developers unable to access the server for several days.
The phpBB team said today's update was unrelated to the security breach at phpbb.com. "We are still extremely confident (the intrusion) was the fault of an outdated awstats and kernel," the phpBBGroup said, referring to a flaw in the AWStats trafic analysis program, which was blamed in the defacement of several popular weblogs.