SMF 2.0.3 November 16 2012
===============================================================================
December 2012
--------------------------------------------------------------------------------
! SSI showed hidden boards on non-properly configured forums (part 2)
! SSI showed hidden boards on non-properly configured forums
! XSS in moderation log page (thanks kingW3 for the report)
! ManagePaid fails if copies of Subscriptions-Paypal,php are present
November 2012
--------------------------------------------------------------------------------
! PCRE engine starting at rev 8.3, will not allow you to specify the surrogate range D800–DFFF - From Spuds (similar to commit 10994)
! Fixed lacking of check on referer URL when adminLogin comes into play (1.0, 1.1 and 2.0 versions)
! Fixes for paypal moving to HTTP 1.1 [bug 5009]
! update sandbox to use https, the former address results in a redirect
! curl did not work due to improper check
! subscriptions should also check for approved payment
Cherry-picked from git commit 07d4bc9fba8942fd284d3d0c3c732889a7bc2e6f by Spuds
! Fixed the upgrade.php failing when the Themes directory was in a directory other than $boarddir (thanks iacchi for finding the cause)
October 2012
--------------------------------------------------------------------------------
! Applied all the changes proposed by rawlogic to fix the intermittent session verification failures
Febuary 1 2013
===============================================================================
January 2013
--------------------------------------------------------------------------------
! Joshua's fix for validatePasswordFlood logic error (reported by Raz0r)
! Arantor fix for database error on lost connections
! Quick fix for Admin Password Reset vulnerability reported by Raz0r
! Directory traversal vulnerability in the function ViewFile (thanks yan.uniko.102 for reporting and Arantor for proposing the fix and Spuds for spotting the undefined variable)
! active users cannot change anymore the email from action activate without deactivation/confirmation (thanks BarteX for reporting the issueand suggesting a fix)
! Change language from the admin panel could allow XSS, path disclosure and code injection (thanks Jakub Galczyk for reporting the issue)
! Missing arguments in SSI functions called through ?ssi= generated error messages showing full server file path (thanks yan.uniko.102 for reporting it)
! Directory listing and editing of arbitrary files from the theme editing page in the admin panel