CHANGELOG since previous version (2.0.11)...
l.i. Changes since 2.0.16
* Added extra checks to the deletion code in privmsg.php - reported by party_fan
* Fixed XSS issue in IE using the url BBCode
* Fixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure
* Fixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik
* Pass username through phpbb_clean_username within validate_username function - AnthraX101
* Fixed PHP error in message_die function
* Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J
* Also fixed above issue in usercp_viewprofile.php
* Fixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat
* Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages
* Correctly set username on posts when deleting a user from the admin panel
l.ii. Changes since 2.0.15
* Fixed critical issue with highlighting - Discovered and fix provided by Ron van Daal
* Url descriptions able to be wrapped over more than one line again
* Fixed bug with eAccelerator in admin_ug_auth.php
* Check new_forum_id for existence in modcp.php - alessnet
* Prevent uploading avatars with no dimensions - Xpert
* Fixed bug in usercp_register.php, forcing avatar file removal without updating avatar informations within the database - HenkPoley
* Fixed bug in admin re-authentication redirect for servers not having index.php as one of their default files set
l.iii. Changes since 2.0.14
* Fixed moderator status removal in groupcp.php
* Removed newlines after ?> on some files - Thoul
* Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
* Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
* Fixed issue in admin/admin_forums.php
* Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
* Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
* Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
* Updated the readme file
* Added one new language variable
* Added general error if accessing profile for a non-existent user
* Changed session id generation to be more unique - Henno Joosep
* Fixed bug in highlight code to escape characters correctly
* Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
* Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
* Fixed bypassing of validate_username on registration - Yen
* Empty url/img bbcodes no longer get parsed
l.iv. Changes since 2.0.13
* Hardened author and keyword search a bit to not allow very server intensive searches
* Fixed full path disclosure in bad word parsing
* Resetting complete userdata array in session code if authentication fails
* Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
* Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
* Fixed html handling in signatures if html is turned off globally
* Fixed install.php problem with PHP5 register_long_arrays option turned off
* Fixed potential issues with styling system
* Added correct class to login_body template file
* Removed file db/oracle.php from package
* Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
* Fixed case-sensitivity issues in postgres7.php - R45
l.v. Changes since 2.0.12
* Ommitted preg_replace warning in viewtopic due to improper working of preg_quote in PHP - originally reported by matrix_killer, fix submitted by another party
* Fixed high severity issue in session handling allowing everyone gaining administrator rights. Please update as soon as possible.
* Minimum requirements raised to PHP 4.0.3 or above due to fixing vulnerability issues breaking PHP3 compatibility.
l.vi. Changes since 2.0.11
* Added confirm table to admin_db_utilities.php
* Prevented full path display on critical messages
* Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
* Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
* Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
* Fixed arbitrary file unlink vulnerability in avatar handling functions - AnthraX101
* Removed version number from powered by line
* Merged database update files to update_to_latest.php file
* Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
* Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer