Sinds phpBB 2.0.6 zijn er een paar beveiligings issues en veel andere bugs opgelost.
l.i. Changes since 2.0.9
* Fixed deleting of styles in admin_styles.php
* Fixed wrong unsetting of variables introduced in phpBB 2.0.9, making the board non-functional for users with specific php.ini settings
* Added code to let phpBB work with PHP5 for those having register_long_arrays set to off (default settings) - running phpBB 2.0.x with PHP5 is not supported at http://www.phpbb.com.
* Fixed bug in admin_board.php for board settings having single quotes in it
* Fixed "search by author" in search.php. Now it is possible to search for users with special chars in their name too
* Fixed forum jumpbox propagating session id in moderator control pages
* Added check for newlines at redirecting pages, to prevent http response splitting attacks - Ory Segal and Amit Klein
* Fixed visual confirmation code. The image was not created due to a wrong regular expression.
l.ii. Changes since 2.0.8
* Fixed one vulnerability in admin_board.php - Xore
* Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski
* Fixed injection vulnerabilities possible with linked avatars
* Implemented unsetting globalised variables
* Limited confirm switch to POST variable in posting
* Changed IP code in common.php to prevent IP spoofing, which might introduce some problems with private IP Ranges showing up. - Wang Products
* Updated visual confirmation mod [pre-edited files]
* Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45
* Added the ability to link to https/ftps sites using the img bbcode tag
* Fixed user online information in admin/index.php
* Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman
* Fixed use of non-existing result variable in modcp (poster_id instead of user_id)
* Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind
* Fixed problem with SID not delivered to next page in groupcp.php
l.iii. Changes since 2.0.7
* Fixed several vulnerabilities in admin pages
* Fixed sid checking code in admin/pagestart.php
* Fixed injection vulnerabilities possible with the img bbcode tag
* Limited allowed images in img bbcode tag to jpg, jpeg, gif and png
* Fixed redirect problems - 2.0.7a
* Fixed sql injection vulnerability in search - 2.0.7a
* Fixed sql injection vulnerability in privmsg - 2.0.8a
1.iv. Changes since 2.0.6
* Fixed several vulnerabilities in modcp - Robert Lavierck
* Changed whois lookup address within admin index
* Fixed potential vulnerability in viewtopic postorder - 2.0.6d
* Updates to cope with Zend Optimizer 2.5 problems - 2.0.6d - jetset
* Force specialcharing of redirect variable in login - Pit
* Fixed potential vulnerability in viewtopic postdays - GulfTech Security Research
* Fixed potential vulnerability in viewforum topicdays - GulfTech Security Research
* Fixed potential vulnerability in modcp
* Fixed potential vulnerability in avatar gallery