SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Security problems in phpBB

    That's right. All phpBB versions, including 1.2 to 1.4.1 currently have a large security vulnerability, allowing arbitrary code to be run on the owner's server.

    This is due to bugs in the script.

    Unfortunately, the phpBB staff refuses to release bug fixes, or any description of the security holes. They have made no official announcements of the security holes.

    They simply encourage us to upgrade to a newer version instead. However, experience, and the people at the phpBB forums, have proven that this upgrade does not fix security holes.

    I have been very disappointed with the phpBB staff's handling of these matters and I would now like to recommend against using any version of phpBB below 2.0
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  2. #2
    SitePoint Wizard
    Join Date
    Apr 2000
    Posts
    1,483
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wasn't there recently a 1.4.2 release? I might be wrong but I seem to vaguely remember them releasing a security fix.

    I agree that there are a lot of things the phpBB Team could have handled a lot better, this being one of them, but remember it is free!

  3. #3
    Ex-SitePointer silver trophy
    Patrick's Avatar
    Join Date
    Oct 2000
    Location
    Harbinger, NC, U.S.A.
    Posts
    4,126
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Yes, you are right James, but there are still some problems.

    Anyone that has phpBB, make sure you install .htaccess in your admin directory, it is easy to do and will save yoy a lot of problems.

  4. #4
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Keeping the admin directory password protected using .htaccess is a deterrent, but unfortunately does not fully solve the problem.

    As far as I can see, the best thing to do is either use version 1.4.2, or install Ashe's latest fix.php, available here:
    http://phpbb.sourceforge.net/phpBB/v...870&forum=9&18

    However, there are still some issues and I am trying very hard to get some answers. I promise to keep you posted!

    If anyone else has any information related to phpBB security, I welcome your replies.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •