This release is mostly the outcome of an external security audit performed by SektionEins. All items tagged as [Sec] were found by the company doing the audit and revealed some fundamental problems we were able to fix. We are proud that the audit revealed no sql injection vulnerability or critical command execution vulnerabilities.

http://www.phpbb.com/community/viewtopic.php?f=14&t=585093#

[Sec] Fixing possible XSS through compromised WHOIS server (#i63, #i64)
# [Sec] Missing access control on whois in viewonline.php (#i51)
# [Sec] Encoding some variables within user::page array correctly (to cope with browser not doing it correctly) to prevent XSS through functions re-using them (#i61)
# [Sec] Fixed XSS through memberlist search feature (#i62)
# [Sec] Fixed XSS through colour swatch (#i65)
# [Sec] Fixed insecure attachment deletion (#i53)
# [Sec] Only allow whitelisted protocols in meta_redirect/redirect (#i66)
# [Sec] Check file names to be written in language management panel (#i52)
# [Sec] Deregister globals if ini_get has been disabled (#i112)
# [Sec] Added form tokens to most forms to enforce a lighter variant of CSRF protection (#i91 - #i96)
# [Sec] Use new password hash method for forum passwords (#i43)
# [Sec] Changed download file location to prevent flash crossdomain policies taking effect (#i8)
# [Sec] Do not allow autocompletion for password on admin re-authentication (#i41)
# [Sec] Made sure users are not completely locked out if they have a GLOBALS cookie (#i101)
# [Sec] Use the secure hash to generate BBCODE_UIDs (#i71)
# [Sec] Increase the length of BBCODE_UIDs (#i72)
# [Sec] New password hashing mechanism for storing passwords (#i42)