Security problems in phpBB

[mmj]

That's right. All phpBB versions, including 1.2 to 1.4.1 currently have a large security vulnerability, allowing arbitrary code to be run on the owner's server.

This is due to bugs in the script.

Unfortunately, the phpBB staff refuses to release bug fixes, or any description of the security holes. They have made no official announcements of the security holes.

They simply encourage us to upgrade to a newer version instead. However, experience, and the people at the phpBB forums, have proven that this upgrade does not fix security holes.

I have been very disappointed with the phpBB staff's handling of these matters and I would now like to recommend against using any version of phpBB below 2.0

[James]

Wasn't there recently a 1.4.2 release? I might be wrong but I seem to vaguely remember them releasing a security fix.

I agree that there are a lot of things the phpBB Team could have handled a lot better, this being one of them, but remember it is free!

[iFroggy]

Yes, you are right James, but there are still some problems.

Anyone that has phpBB, make sure you install .htaccess in your admin directory, it is easy to do and will save yoy a lot of problems.

[mmj]

Keeping the admin directory password protected using .htaccess is a deterrent, but unfortunately does not fully solve the problem.

As far as I can see, the best thing to do is either use version 1.4.2, or install Ashe's latest fix.php, available here:
http://phpbb.sourceforge.net/phpBB/v...870&forum=9&18

However, there are still some issues and I am trying very hard to get some answers. I promise to keep you posted!

If anyone else has any information related to phpBB security, I welcome your replies.