Fixed unsetting global vars - Matt Kavanagh

Fixed XSS vulnerability in username handling - AnthraX101

Fixed not confirmed sql injection in username handling - warmth

Added check for empty topic id in topic_review function

Added visual confirmation mod to code base

• Added confirm table to admin_db_utilities.php
• Prevented full path display on critical messages
• Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
• Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
• Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
• Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
• Removed version number from powered by line
• Merged database update files to update_to_latest.php file
• Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
• Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer

• Hardened author and keyword search a bit to not allow very server intensive searches
• Fixed full path disclosure in bad word parsing
• Resetting complete userdata array in session code if authentication fails
• Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
• Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
• Fixed html handling in signatures if html is turned off globally
• Fixed install.php problem with PHP5 register_long_arrays option turned off
• Fixed potential issues with styling system
• Added correct class to login_body template file
• Removed file db/oracle.php from package
• Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
• Fixed case-sensitivity issues in postgres7.php - R45

• Hardened author and keyword search a bit to not allow very server intensive searches
• Fixed full path disclosure in bad word parsing
• Resetting complete userdata array in session code if authentication fails
• Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
• Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
• Fixed html handling in signatures if html is turned off globally
• Fixed install.php problem with PHP5 register_long_arrays option turned off
• Fixed potential issues with styling system
• Added correct class to login_body template file
• Removed file db/oracle.php from package
• Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
• Fixed case-sensitivity issues in postgres7.php - R45

Fixed moderator status removal in groupcp.php
Removed newlines after ?> on some files - Thoul
Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
Fixed issue in admin/admin_forums.php
Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
Updated the readme file
Added one new language variable
Added general error if accessing profile for a non-existent user
Changed session id generation to be more unique - Henno Joosep
Fixed bug in highlight code to escape characters correctly
Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
Fixed bypassing of validate_username on registration - Yen
Empty url/img bbcodes no longer get parsed

Fixed moderator status removal in groupcp.php
Removed newlines after ?> on some files - Thoul
Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
Fixed issue in admin/admin_forums.php
Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
Updated the readme file
Added one new language variable
Added general error if accessing profile for a non-existent user
Changed session id generation to be more unique - Henno Joosep
Fixed bug in highlight code to escape characters correctly
Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
Fixed bypassing of validate_username on registration - Yen
Empty url/img bbcodes no longer get parsed

• Added extra checks to the deletion code in privmsg.php - reported by party_fan
• Fixed XSS issue in IE using the url BBCode
• Fixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure
• Fixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik
• Pass username through phpbb_clean_username within validate_username function - AnthraX101
• Fixed PHP error in message_die function
• Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J
• Also fixed above issue in usercp_viewprofile.php
• Fixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat
• Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages
• Correctly set username on posts when deleting a user from the admin panel