Advisory: http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/ http://seclists.org/fulldisclosure/2013/Dec/83 http://osvdb.org/101004 "Unspecified Clickjacking Arbitrary Code Execution" http://osvdb.org/101005 "Unicode Homoglyph Username Spoofing Weakness" Fixed in 1.1.19 and 2.0.6 versions. Credit: Jakob Lell Changelog: """ October 2013 ------------------------------------------------------------------------------- ! Added some headers to help protect against clickjacking (thanks Jakob Lell for the report) ! Invalid avatars were not always properly cleaned up (thanks chaoztc for the report) ! Added protection against usernames being impersonated with Unicode space characters (thanks Jakob Lell for the report) ! Sessions weren't always cleaned up properly on logout (thanks creepernex for the report) ! Certain fields were accepted during registration even when they shouldn't be (thanks tomreyn for the report) ! Certain errors were unnecessarily shown during a failed registration and some of those were inappropriate anyway (thanks Labradoodle-360 for the report) ! Approving an account from a member's profile was not logged (thanks emanuele for the report) ! Approving an account from a member's profile did not always properly enforce security rules (thanks emanuele for the report) ! The PHPSESSID injector would also add it to the canonical link, breaking it (thanks to all who reported it) ! An invalid character was indicated in legacy attachment handling ! Under some circumstances the admin panel would not accept the number of verification questions you had entered (thanks BurkeKnight for the report) ! The help pages could sometimes accidentally direct users to non-existing pages (thanks AngelinaBelle for the report and Illori for the fix) """ Changes: http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 --- Henri Salo