Page 1 of 2 12 LastLast
Results 1 to 40 of 51
  1. #1
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32

    Is This True about PhP Bulletin Boards?

    I was told that hackers are able to use these bulletin boards to somehow "attack" servers...and in fact, this is a major problem right now with many host services. They also said that it appears many of these hackers IP addresses originate in a certain part of the world (I"m not going to say where..so that I don't offend anyone"..

    Personally, I have my doubts about this... but I don't know squat about this stuff anyway.

  2. #2
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    it all depends on how the script is written.

  3. #3
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32
    Yes, they mentioned something about script being written. So does this mean that since I use one of those bulletin boards on 2 of my sites, that someone can get in an mess with the hosts server??

  4. #4
    Join Date
    Dec 2004
    Location
    US
    Posts
    597
    Just update your board to the latest version.

  5. #5
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    If you do not keep the bulletin board updated to the latest version, this certainly can happen. If you use phpBB there are ton of vulnerabilities for it and you need to make sure your updated as soon as possible. We have actually seen this happen to quite a few of our clients in the past.

    Thanks,
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  6. #6
    Join Date
    Apr 2005
    Location
    NSW, Australia
    Posts
    136
    Most problems with the bulletin boards seem to be outdated phpBB versions, at least from what i've read.
    Rob G.
    ShopManager - Sales & Repair Business Management Software

  7. #7
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32
    Thanks for the warning... I have not updated those boards in at least a year!

  8. #8
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Originally posted by georgiehopper
    Thanks for the warning... I have not updated those boards in at least a year!
    A year old version would certainly make you vulnerable. Update them now and count your blessings no one discovered them before!

  9. #9
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32
    Are there better boards that one should use instead of the PhP?

  10. #10
    Join Date
    Jan 2002
    Location
    Boston
    Posts
    5,010
    All BBS scripts and forums in general have issues including most of all the paid ones. Best thing to do is try and stay on top of updates and do your best to keep things as secure as possible.

    I think phpbb has gotten somewhat of a bad rap due to having a bad number of exploits over the past year or so but you also must realize it is probably the biggest free bb software available thus is it targeted more than others.

  11. #11
    Join Date
    Mar 2001
    Location
    Houston, TX
    Posts
    972
    The good boards will have auto-update features that will make it a breeze to get patched up. I know SMF has this though I can't say for phpBB. Overall, phpBB is a common target for exploits just because of it's popularity.

    Roj
    Web Hosting? Been there. Done that.
    I am niyogi.

  12. #12
    It's easy for a hacker to abuse PHPbb which is the reason why I hate it completely.

    I'd reccomend either Invision or vBulletin, though there are many other boards out there, these 2 don't have as many, if any, security exploits compared to some others..
    X5 Internet - Cheap, affordable web hosting w/ dedicated solutions!
    24/7 support, 99.9% uptime, cPanel & More

    ..Everything you want from a hosting company..

  13. #13
    Join Date
    Jan 2003
    Location
    Texas, where else?
    Posts
    1,571
    phpBB is a great FREE BB, that's the problem. It's very popular and has lots of free "add-ons" skins, mods etc. (probably more than anybody) written by users and available for free download (code which of course isn't controlled by phpBB.)
    With popularity comes attacks, why do you think all the viruses & such target Microsoft instead of Macintosh, more numbers = more damage?
    The main thing is to update all the time as soon as one is available and watch their forums etc.
    The biggest "hack" last year was an exploit that somebody found and before the patch was widely installed somebody figured a script to "search" for phpBB installs then run the exploit automatically by script. At that point it spread like wildfire. Luckily all our phpBB users but one had updated 2-3 weeks earlier when the patch was released (and we sent everybody a notice & link) but we did have one customer's board "lost" because of it.
    I personally am becoming more of an SMF fan but it has its problems and UBB & vBulliten have theirs even though they come with a price tag.
    SMF is easier to update but their "auto" feature can really mess up any mods you have made so there is a trade off to that simplicity.
    Nothing wrong with phpBB in particular, just keep it updated. As I mentioned their biggest problem in '04 was caused by something they had issued a patch for weeks earlier...the "bad guys" just count on people not updating like they count on computer users who don't update their anti-virus
    (Actually had a customer set a record the other day, was complaining to support about some weird behavior on his PC, when asked when he last scanned we found out he had never updated the anti-virus... the one that came on the box in 2000! when he bought it...that was an all-time high for stories we'd heard. 5 years on a Windows box, amazing he had lasted this long....
    New Idea Hosting NO Overselling-Business-Grade, Shared Only! New-In House Design Team.
    High Speed & Uptime; , DIY Pro-Site Builder-Daily Backups-Custom Plans, All Dual Xeon Quad Intel servers w/ ECC DDR3 RAM SCSI RAID minimums.
    We Concentrate on Shared Hosting ...doing one thing and doing it VERY well

  14. #14
    Join Date
    Sep 2004
    Location
    Chennai , India
    Posts
    4,608
    i think the attack can be done in variuos ways, the phpbb has an update released for this one.

    1. Sql Injection , the real problem came when the script allowed to hack the database.

    they have fixed it, there is no problem.

  15. #15
    Join Date
    Nov 2002
    Location
    Lakeport CA, Clear Lake
    Posts
    1,856

    Smile

    Another good alternative to free PHPBB is free Simple Machines Forums known as SMF forums. Here's a link to their community: http://www.simplemachines.org/community/
    Everyone is entitled to MY opinion.
    CatfishEd.com

  16. #16
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Originally posted by georgiehopper
    Thanks for the warning... I have not updated those boards in at least a year!
    I'll cast a vote for WordPress. Easy to configure to your site design and very easy to navigate.

  17. #17
    This is something I actually asked on the phpBB community (http://www.phpbb.com/phpBB/viewtopic.php?t=298682) when Mr. BlazerNetwork was accusing me of hacking his system. It seems as stated earlier in this thread, he didn't update his system as he should have been.

    no...i'm not tryting to stir up any crap with Blazer here. It's an example of what happens and has happened stilll happens because people don't install the patches and latest versions. Talk to any security expert. One of the top items they will tell you, if not the #1 item is always install the latest patches/versions.

    My two favoriates are phpBB (such a large following - many skins, bug fixes, etc.) and if you're into asp.net like I am, go with Community Server (http://communityserver.org/forums/).

    Something that amazes me about phpBB is all the modifications that are available for it because of the huge following. Its caused this "microsoft tech only" guy to take a serious look at php.

  18. #18
    I use PhPBB for my Forum and I love it because it is so easy to customize. It also tells me if I am running the latest version everytime I login in as an admin. So why are people worried about not updating security for the board? If you log in every couple days you will see when it needs to be updated. Or am I missing something?

  19. #19
    hmm...that's awesome. Maybe that's not well known because it hasn't always been there.

  20. #20
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32
    I logged in and went to the administrative panel and I couldn't find anything anywhere regarding updating.

    I feel like a real idiot because you guys say how easy the board is to work with, but I can't even figure out how to change the skins.

  21. #21
    Any bulletin board can attack a server. If you have any script that connects to another server (to send emails for example), that can be abused from HTTP Distributed Denial of Service attacks. That's when possibly a few hundred proxy servers are being directed to your "Request New Password" function, and the account that they're requesting the password has an email on "YourWebSite.com." YourWebSite.com's server will be bogged down with all these requested password emails.

    The best way to prevent this is put in confirmation codes in the register and request password pages to prevent your site from being hijacked like this. Normally, this strains your site's server more and takes your site out completely before it's able to even affect the other site, but if you're on a fast dedicated server, then major damage can be done to another who's on a shared server (their whole server crashing).

  22. #22
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    phpBB sucks. I don't buy the whole excuse that it's exploited more because it's so popular. Vbulletin, for example that WHT uses, has far less exploits and is just as popular, if not more so. phpBB has more exploits, because it has so many holes. Time and time again, as well. I don't pretend that a project that many people contribute to the code on is easy to keep up with and prevent holes, but the number of holes they have and the frequency of them, is utterly ridiculous, at least in my opinion.

    Opensource of not, paid or not, popular or not, the problem is with the code. It's a resource hog (yes, better than some other forums) and is insecure too often. I'd never personally use it. At some point, I'll be coding an alternative that's secure, so I can have something to offer people that want a forum, so I don't end up having to offer something like it and have to explain to clients how to keep up to date on it every few weeks or risk their site being compromised.

  23. #23
    I know from experience that Invision Board is exceptionally well-secured, and not too expensive... If you have a small board, you can use their free trial for an unlimited amount of time

  24. #24
    Join Date
    May 2005
    Posts
    46
    this thread is a joke. anyone that says you can use phpBB to attack the SERVER is wrong. i'd definitely like for someone to explain how an sql injection on ONE database can affect an entire server?

    of course hackers abuse phpBB. it's open source and there will always be exploits that cause them to take over your board, gain admin status, delete everything.

    but under no circumstances can a vulnerabiliity in phpBB's software affect your server. the only people that say that are uneducated operates of small hosting companies. either that or they are extremely paranoid.

    if you are that worried about having your phpBB hacked, just create an .htacess file and throw it in your admin directory or password protect the directory via your servers control panel.

    the worst exploit was the worm that infected via google searches and that was all of a 10 minute fix.

    i've been using phpBB for almost 2 years. there has never been an exploit that allowed any attack on a server. that doesn't even make any sense.

    if you can design an sql injection to make the mySQL server crash, that is the ****** server ever made.

  25. #25
    Some people shouldn't post unless they know what they are talking about...

    Poorly coded scripts (for that matter *all scripts*) have vunerabilities, and those can be exploited to harm the server. All you need is a poorly coded include statement and a hacker can use it to include an java/php minishell, which can then be used to wreak havoc on any server.

    Please don't post when you haven't the slightest idea wat you're talking about

  26. #26
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32
    Hey, all I did was ask a question because part of the reason that Avidhosting is having problems has something to do with a PhP board... thats what they told me.

  27. #27
    Join Date
    May 2005
    Posts
    46
    ok so i'd like for you to attack my server then. you, my friend, are the one that has no clue what he's talking about

    please learn how to spell the word, "what".

  28. #28
    Georgie, I was commenting on biesky's post

  29. #29
    Join Date
    May 2005
    Posts
    46
    Originally posted by georgiehopper
    Hey, all I did was ask a question because part of the reason that Avidhosting is having problems has something to do with a PhP board... thats what they told me.
    change servers then. that's a joke and it's probably just some lame excuse because they aren't smart enough to figure out what's wrong.

  30. #30
    Join Date
    Jun 2005
    Location
    northern Virginia
    Posts
    32
    I had also asked them to put our site on a different server at their own suggestion, but then they never responded to three requests to make the change. So we changed hosts the day before yesterday.

  31. #31
    Biesky,

    I've been in this business for a long time and I've seen many things happen. The fact that I misspelled one word (I clearly know how to spell "what," as I did so correctly earlier in the post) does not disprove that. If you think that a vulnerable script does not leave open the possibility for harm to a server, then you are misinformed or ignorant. I am not going to attack your server, as I work on the other side of the law, securing servers, rather than harming them. If you wish to continue to post incorrect advice, that is your prerogative, and I can't stop you. I can only inform people when you are wrong.

  32. #32
    Join Date
    May 2005
    Posts
    46
    Originally posted by georgiehopper
    I had also asked them to put our site on a different server at their own suggestion, but then they never responded to three requests to make the change. So we changed hosts the day before yesterday.
    good idea.

  33. #33
    Join Date
    May 2005
    Posts
    46
    if you operate a server that can be exploited server side via an sql injection or anything related to phpBB, then you don't know as much as you claim.

    being able to attack a server via a vulnerable script has nothing to do with phpBB. it's just an excuse from little hosting companies.

  34. #34
    Biesky,

    If you had read his post, you would know that his host didn't say phpBB, they said php bulletin boards. In this regard, they are correct. There are many insecure php bulletin boards. Please comment on the actual subject matter, not what you perceive the subject matter to be.

  35. #35
    Join Date
    May 2005
    Posts
    46
    Originally posted by BenEDH
    Biesky,

    If you had read his post, you would know that his host didn't say phpBB, they said php bulletin boards. In this regard, they are correct. There are many insecure php bulletin boards. Please comment on the actual subject matter, not what you perceive the subject matter to be.
    you obviously don't know how to read. please re-read the thread and come back and post again. there are at least six posts saying that you can attack a server via an exploit in phpBB, not a bulletin board coded in php.

  36. #36
    Biesky,

    I have read the thread, and understand that people have said that... For the record, there actually have been recorded instances of phpBB installs being exploited and actual harm to the server being caused. Granted, these aren't on newer versions, but the fact remains that ANY script is open to exploitation if poorly coded. A good deal of people would say that phpBB is poorly coded, incuding me. By extention, phpBB is vulnerable to exploitation leading to damage to a server. It is possible and the fact that you ignore the possibilty does not prove your point.

  37. #37
    Join Date
    May 2005
    Posts
    46
    anything is possible. if someone can crack tmobiles server and read secret service documents being passed and get access to celebrity notebooks, then anything is possible.

    if there are recorded instances, i'd love to be able to read them. i never said that I can't be wrong, but no one has proved differently.

    i still doubt that someone could attack phpBB and harm the server in any way if you had any type of protection on that server. most decent servers have cisco firewall these days.

    i don't agree that phpBB is poorly coded. it's certainly not top of the line but it's also open source.

    i don't see how you really believe that a phpBB install can cause the server to crash. at worst with a poorly protected server you could cause services such as php and mysql to crash but you couldn't crash the entire server. it just makes zero logical sense.

    anything is possible. i can walk outside and find a winning powerball ticket. it would be extremely difficult and nearly impossible to crash a server through phpBB that is NOT modified.

  38. #38
    If I'm not mistaken, no one ever said that it could crash a server, just that it could cause certain "general" damage... That's all I've said.

  39. #39
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by biesky83
    his thread is a joke. anyone that says you can use phpBB to attack the SERVER is wrong. i'd definitely like for someone to explain how an sql injection on ONE database can affect an entire server?
    I think they meant that due to exploits, people can abuse the script to download and run things to have outgoing attacks, perhaps, but I'm only guessing. Of course, this isn't just phpBB, but any poorly coded script.

    of course hackers abuse phpBB. it's open source and there will always be exploits that cause them to take over your board, gain admin status, delete everything.
    Why do you assume just because it's open source, that there will always be exploits that allow such exploits to take place? Open source software can be secure, too, if it's coded right. Of course, it's more difficult when so many people are working on it, I agree with that.

    but under no circumstances can a vulnerabiliity in phpBB's software affect your server. the only people that say that are uneducated operates of small hosting companies. either that or they are extremely paranoid.
    That is true, that a well configured server will not be affected much by an exploit of that nature. However, any software that allows someone to use that script as a means to gain access that they should not otherwise have, into the server or to do anything at all, is not good, regardless of what script it is, and regardless of how secure the server is. With resource limits and the like to prevent damage, good permissions and ownerships on files to protect them, etc., the damage should be minimal to none, but I still don't recommend people use software that has such a long history of exploits for their own forum data's sake. Just my opinion though.

    if you are that worried about having your phpBB hacked, just create an .htacess file and throw it in your admin directory or password protect the directory via your servers control panel.
    I think the point is that there are means for people to exploit the software without requiring access to the admin area.

    the worst exploit was the worm that infected via google searches and that was all of a 10 minute fix.
    And, how many times had this software suffered from such exploits? A lot. if you like it, that's fine.

    i've been using phpBB for almost 2 years. there has never been an exploit that allowed any attack on a server. that doesn't even make any sense.
    But it can allow a means to, as can any other script with an exploit. I know many people that use phpBB and many don't update it at all and they've never had their site exploited. Others I know of that updated it often had theirs exploited, and others that did did not. I agree that it's not the end of the world and if you update it often enough and aren't a target for someone that keeps up to date on it by hours or days before you do, you should be okay to keep updating it.

    if you can design an sql injection to make the mySQL server crash, that is the ****** server ever made.
    Yep.

  40. #40
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by BenEDH

    Poorly coded scripts (for that matter *all scripts*) have vunerabilities,
    Actually, no. Only poorly coded one's. And, I don't mean "poorly coded" as in that the code is a mess. I've seen beautiful code, looks like artwork, have holes. There's absolutely no reason why a script would be vulnerable, unless someone missed something, made a mistake, wasn't paying attention or didn't know enough about it to code it securely (or they did, but didn't care to put in the effort). Of course, since humans aren't perfect, there's often exploits in a lot of programs, but it's absolutely untrue that *all* scripts have vulnerabilities. When dealing with an interface like CGI or using mod_php, it's entirely possible to have a program that doesn't suffer from a vulnerability.

    and those can be exploited to harm the server.
    Depending on how they can be exploited, and how the server is configured, etc, it could potentially harm the server, or have the server used as the source of an attack, for example, but it depends.

    All you need is a poorly coded include statement and a hacker can use it to include an java/php minishell, which can then be used to wreak havoc on any server.
    One of a few hundred examples, that's true.

    Please don't post when you haven't the slightest idea wat you're talking about :(
    I'm not sure which poster(s) you are referring to, but I sincerely and absolutely disagree that all scripts suffer vulnerabilities. That's a ridiculous statement, I hope that was a mistake in the phrasing of the point you were making? :-)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •