Page 1 of 2 12 LastLast
Results 1 to 40 of 54
  1. #1
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162

    Hosts banning phpBB 2.0.x ...

    This is a quote from phpBB.com announce foruns: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=304052

    It's been brought to our attention over recent weeks that some hosts are banning or disuading the use of phpBB (sometimes involving fees for conversion to other boards). This is unfortunate for everyone and seems largely to be based on FUD.

    While phpBB has and no doubt will continue to suffer from exploits (show me a piece of software that doesn't!) we have consistently addressed such issues very quickly. Equally some hosts are doubtles blaming phpBB for exploited systems when in fact the actual culprit is one of the many other apps which have suffered recent major or significant issues (vB, AWStats, etc.).

    I would appreciate it if anyone affected by hosts taking such actions would contact me with relevant details and if possible a contact point.
    Please, sysadmins and other relevant people: DONT BAN PHPBB SCRIPTS. At this momment, we (phpBB Group, and i, founder of phpBB-Portuguese community and administrator from phpBB-Brazilian community) estimate that phpBB dont have *any critical* security bug. If it exists, show me (version 2.0.16).

    Please, update your awstats (cpanel update, whatever) before banning a popular script.
    Last edited by SlAiD; 07-14-2005 at 02:31 PM.
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  2. #2
    Join Date
    Jun 2005
    Location
    Canada
    Posts
    2,493
    My friend tests for phpbb and in the past has given me advanced copies to test out and see if they are exploitable.

    Every single program out there has some exploit, but phpbb has too many. I've been able to exploit versions 30 minutes after I receive one.

    IPB 1.3 is legal to use and has way less bugs/exploits. Stick with that, add mod_security and secure the server and you will be fine in comparison with phpbb.
    GeeksGather - Undergoing redevelopment. Stand by.

  3. #3
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    I dont say "it dont have any bug's" but:
    - correct chmod config.php and admi/ give *more* security to your board.
    - install mod security to phpBB (see: phpbb-amod.co)
    - change the board settings to have another password to access ACP (i have this one only in brazilian: http://www.phpbb-br.com/forum/viewtopic.php?t=1310)
    - etc, etc.

    Any software have bug, This forum, cPanel, Plesk, my house too (lol).

    But its better warn the clients to install this mod's...
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  4. #4
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    The problem is not the exploits, the problem is ignorant users not upgrading their phpBB version. Less exploits, less need to upgrade. That is why I use SMF instead. However, we didn't ban phpBB.

    Cheers,
    Last edited by layer0; 07-14-2005 at 03:04 PM.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  5. #5
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    Originally posted by elix
    The problem is not the exploits, the problem is ignorant uses not upgrading their phpBB version. L
    You're right!

    phpBB in 2.0.14 (i think) add a warn when the version isn't updated (use sockets) and... same sh*t, dont work. I see TODAY a forum with 2.0.6.

    O.o
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  6. #6
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,190
    Originally posted by elix
    . . . the problem is <<< most >>> users not upgrading their phpBB version. . .
    That be the problem. And that's why I don't recommend phpbb when a client wants a bulletin board.

    Somewhere here looks for a recommendation for a board, I don't have a problem recommending phpbb. Of course, no one here is my customer though.
    There is no best host. There is only the host that's best for you.

  7. #7
    The funny thing is when some people act like PHPBB is the only board that has many exploits.

    On the vB board, there are people talking about all of these different bugs they found in the current version.

    A friend of mine runs the current version SMF & found exploits already.

    It's all about how YOU secure your site. I've never had a problem with any kind of hacking, etc.

  8. #8
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    Hi,

    First critical bug in phpBB 2.0.16: http://addict3d.org/index.php?page=v...curity&ID=4439

    Read the "Rui Cruz" commend (my comment).
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  9. #9
    Join Date
    Jun 2005
    Location
    Chicago, IL
    Posts
    10
    I've never had any issues with phpBB being hacked on my servers really. I use the Interworx control panel which gives each account a self signed SSL certificate which isnt much, but it helps. Plus, Interworx has just so other many security features which I feel helps alot too..

    Dont ban phpBB.... soon its going to be the most secure forum in the nation lol.. (cause people are looking for the exploits)

  10. #10
    Join Date
    Jun 2004
    Location
    Bay Area -USA
    Posts
    1,738
    I dont think we would ban it. (although we always discourage yabb)

    I wonder if PhpBB will become totally insecure again once they release 3.0 because they said they built it from the ground up.
    <<< Please see Forum Guidelines for signature setup. >>>

  11. #11
    Join Date
    Jul 2003
    Location
    Here on Earth
    Posts
    423
    Users who use phpBB should always check for updates ...it's their fault for not updating a freeware script.

  12. #12
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    On Cpanel servers admin have feature which allow easy upgrade old version of customer forums (include PhpBB too) to new. Filtering requests also may help.
    I am also sure that PHPNuke have not less bugs and vulnurabilities, but i am not never hear that someone ban PHPNuke install. i think that this is just a panic from last few month incidents with PhpBB. On server with good security setup any script with any number security problem can't give to hacker possibilities to server hack (getting root password or touching other customers important files). If hacker can do above, this is not script problem, this is server security problem.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  13. #13
    Join Date
    Jun 2005
    Location
    Chicago, IL
    Posts
    10
    They need to automate the updates.. Make it easier to update it..

  14. #14
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    Originally posted by worldhosting
    On Cpanel servers admin have feature which allow easy upgrade old version of customer forums (include PhpBB too) to new.
    Only when the forum is installed by the same cPanel Script

    If not, they need to do a code change update (if they have any mod installed) or a "normal" update.

    But for example, i've sinse 2.0.13 warn cPanel BuG List, to update the versions. If i dont warn, cPanel Group dont update :$
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  15. #15
    Join Date
    Aug 2004
    Location
    Southern NYS
    Posts
    533
    I dissuade all my customers from using phpBB, and recommend SMF if they don't want to pay for IPB or vB.
    PacketAce
    Because packets were meant to be delivered.
    Premium Mzima Bandwith at Equinix - Secaucus, NJ

  16. #16
    I'm sorry, SlAiD. But the fact is, while vB may have minor bugs, it does NOT have anywhere NEAR the number sloppy coding mistakes that phpBB has. That's the problem with phpBB, the exploits are due mainly to SLOPPY coding...how many version of vB have come out in last 6 months...hmm...oh wait..0. Been stable

    phpBB on the other hand seems to have release a new version every other day for while there.

    This makes hosts nervous. In the past few months many hosts have banned both phpBB AND Awstats due to the severity of these exploits. Unlike commercial software like vB, phpBB has no way of notifying it's users reliable of problems. vB knows EVERY legal owner of the product and can easily notify it's clients that there's a problem that needs immediate addressing. phpBB, awstats, etc...being opensource, DON'T have that ability and thus you have thousands of vulnerable scripts out there. As a host, it's our responsibility to ensure the integrity of our systems and if that means having to make blanket bans, then that's the way it goes.

    Yes, lots of scripts have holes, but certain ones just seem to be more exploitable then others.

  17. #17
    Join Date
    Mar 2003
    Location
    London Ontario, Canada
    Posts
    984
    Lets face it phpBB Is one of the better free BB's available but as elix and SoftWareRevue have both articulated clearly,

    The problem is when the "known" bugs are not addressed. I understand both point in this thread, but as the steward for client websites, I have to throw my chips in with the camp that wants to minimize the problem rather than reley on community discipline.

    Cheers
    Jeff
    www.idologic.com
    www.demologic.com
    A company committed to people serious about their websites - If you don't DO LOGIC - what do you do?Check Us Out

  18. #18
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    Originally posted by ArtieFishill
    In the past few months many hosts have banned both phpBB AND Awstats due to the severity of these exploits.
    Hum... just a question.
    If cPanel have a lot of bugs NOW, do you bann cPanel/WHM too (or Plesk)?
    \m/

    This bug's is ONLY because many many many users dont update they foruns.
    And i cant understend why many teams give "time" to this phpBB Bugs. phpBb is free for all, what is the interess to f*ck it?
    Free code, free support, all free!



    PS: AwStats is stable now? I use it... :$
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  19. #19
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Originally posted by SlAiD
    This bug's is ONLY because many many many users dont update they foruns.
    Um, a bug is a mistake within the code... has nothing to do with users other than they need to upgrade after a bug is discovered.

    Originally posted by SlAiD
    what is the interess to f*ck it?
    I surely hope you're not really an 'official' rep of phpBB, coming on here and cursing like that in a public forum.

  20. #20
    Join Date
    Oct 2003
    Posts
    566
    Just one URL: http://www.fudforum.org.

  21. #21
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    serversphere, hi there.

    Yes, the bug is in the code, right.
    But if crackers/coders teem dont spend her time to find it (because this is a free project) this is better to any user.

    I'm administrator of an oficial international team: www.phpbb.com.br
    But no, i dont represent phpBB. I represent my live. And i think this, and i say this.
    Simple, isnt it?

    In the help foruns, this is diferent
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  22. #22
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,582
    Well we're going to keep allowing the use of phpBB it may need an update every month or so but most of the people getting exploited are using versions 6 months old. It's the ignorance of the people using the forums saying yeah I won't get hacked I don't need to worry until they get hacked.

    I also think it's the Hosts banning the boards to combat their lack of security knowledge. If they know what they're doing an exploit shouldn't be able to take out their entire server which I keep seeing some hosts have issues with.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and VPS Hosting
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X & PHP 5.6.X & PHP 7.0.X Support!

  23. #23
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    793
    Originally posted by SlAiD
    And i think this, and i say this.
    Simple, isnt it?
    Yeah, I was just kidding you.

    I agree, it is a shame that people are avoiding phpBB (myself included) because it's being more targeted than others. Hopefully the developers will tighten things up as a result and a few generations from now it will be better than ever! Once the novelty wears off and it gets fairly tight the hack/crack'ers will move on to another bb script.

  24. #24
    Join Date
    Aug 2003
    Location
    PA
    Posts
    1,899
    I also think it's the Hosts banning the boards to combat their lack of security knowledge. If they know what they're doing an exploit shouldn't be able to take out their entire server which I keep seeing some hosts have issues with.
    I must agree with what Tony has stated. The reality also lies squarely upon the hosting provider's shoulders as well with running secured servers (to a reasonable extent of course).

    I do however also see the issue with phpBB releasing so many updates all the time like has been a bit annoying even to hosts and end users as then you're talking quite a bit of updating required which for some new phpbb forum admins might pose a bit annoying if something breaks (this has occurred with one of my clients when he ran the update option). In any case I would like to see such forums as phpBB continue to be openly supported as they always have been.

    -Justin
    Justin Schurawlow :: Technology Enthusiast
    Schurawlow PC Repair
    Computer Services for the Lehigh Valley area
    Blog :: The Justin Schurawlow Blog

  25. #25
    Join Date
    Oct 2002
    Location
    EU - east side
    Posts
    21,913
    I do however also see the issue with phpBB releasing so many updates all the time like has been a bit annoying even to hosts and end users
    Maybe the script isn't the best, but:

    1. because it attracts a lot of attention and the code is easily accesible, the bad guys take a lot of interest in finding bugs

    2. if they find a major vulnerability they need to release a patch soon, before the word spreads and boards start being affected. It may be annoying, but it's about security. Sometimes it's annnoying to always lock the door everytime I leave home as well, but I do it nevertheless.

    3. keeping a free script updated is the least I can do as an end user. Too many people want it free, good, and to require little to no maintenance. Many (if not most) don't even know they're supposed to upgrade the scripts they use. After being brainwashed with the "you can install a forum with a click of a button" phrase, they most likely imagine that everything is somehow automated and they don't have to worry about a thing.

  26. #26
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    This bug's is ONLY because many many many users dont update they foruns.
    So, if no patch exists - there's no hole? Give me a break.

  27. #27
    Join Date
    Aug 2003
    Location
    Vancouver, BC
    Posts
    1,891
    How about phpBB uses Zend Encoder to hide the majority of the script? That way the script kiddies can not see the code and find exploits as easy as it is w/o it being encoded.

    We do not recommend phpBB to any of our clients as it is a security risk.
    Gary Jones

    BlueFur.com - Canada Web Hosting

  28. #28
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    Well, then all the people who want to install and develop modifications are doomed.

  29. #29
    I totally agree that some hosts obviously lack security knowledge.

    And I wouldn't install PHPBB through Fantastico. When the time comes to update it, the new update will overwrite everything else. I install PHPBB manually.

  30. #30
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    Originally posted by mikeylove
    So, if no patch exists - there's no hole? Give me a break.
    No:
    If coders/crackers/wxploits teams dont spend her time to find a bug to a free project, thre's no hole.
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  31. #31
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Originally posted by SlAiD
    No:
    If coders/crackers/wxploits teams dont spend her time to find a bug to a free project, thre's no hole.
    Just because the hole isn't found--doesn't mean there's no hole.

    Cheers,
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  32. #32
    Join Date
    Jun 2005
    Posts
    14
    Hmmmm.........i don't use phpbb simply because i dont care for the admin portion of it. Not due to holes or any thing else. But what i have found is that NOTHING is secure!

    It seems more a matter of popularity than that of being 'insecure'.

    If you are a hacker, and are looking to reak havoc, you will, of course, attack what's most popular, so your work (cough cough) gets noticed by the largest audience. (sick bastages).

    I feel very safe in saying that NO MATTER WHAT script is used for forums, galleries, portals, cms's, whatever......If it's out there, and being WIDELY used.........Someone is gonna hack it!!!! Yes even "PAID LISENCE" software. If all the free scripts were taken off the internet TODAY, tomorrow, vB.....Invision, and the rest would have more troubles than they could imagine!

    Will keeping 'current' help?.....Yes it will.....to a limitted extent. But it's the old "Build a better mouse trap" game. You build a better trap, and they build better mice!

    I have to agree with the hosts on the fact that they are soley responsible to their clients, to keep servers active, but, likewise, they need to allow clients to freely pick and choose things like CMSs, Forums, And galleries. Open source will never go away, and hackers are not going to leave the scene either.

    When i look for a script to install, i do what i can to research it's value to ME, it's risks, and so on. I also 'regularly' check the Dev site for the script(s) that i use, to be certain i am as current as I can be. As a client to a host, it's YOUR responsibility to do so!

    Any "good" dev team jumps on troubles IMMEDIATELY, and even though they may not have the resources to e-mail their entire user base, they WILL notify everyone on their dev site, be it thru a forum posting, or a front page news block. ( i NEVER use old unsupported or "out of development" scripts.)

    There's my 2 pennies

  33. #33
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    162
    Originally posted by WayneW
    Hmmmm.........i don't use phpbb simply because i dont care for the admin portion of it. Not due to holes or any thing else. But what i have found is that NOTHING is secure!
    Internet isnt secure. You use internet, right?
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 8+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  34. #34
    Join Date
    Jun 2005
    Posts
    14
    Originally posted by SlAiD
    Internet isnt secure. You use internet, right?
    Um that's my point EXACTLY.

  35. #35
    Join Date
    Sep 2004
    Location
    Uk
    Posts
    422
    Well,
    I do not currently ban PhpBB on my server('s).
    But i do make sure that every install is kept up to date.
    Including other applications as well E.g PhpNuke,E107,SMF etc.

  36. #36

    I currently have phpBB 2.0.16

    It works great and havn't had anyone try to exploit it yet. But then again I only have two members at this time because I just installed it and have been configuring it. lol

    I plan to get phpBB 3 and install it in the same database but with a different prefix then the other one. I think a lot of people have problems with php in general not just phpBB. I have heard people saying that it is not as good as CGI, perl, etc..

    I think it all depends on the person. Everyone has their own opinion (apples and oranges). I plan to keep watching traffic to my site myself and re-check my chmod to make sure they are set correctly.

    The only problem I have right now is with my hosts SQL server not connection limitations.

    <<removed self-promotion>>
    Last edited by alpha; 07-17-2005 at 12:18 AM.

  37. #37
    Join Date
    Dec 2003
    Location
    Brisbane, Queensland, Australia
    Posts
    547
    I will be looking very closely at the new PHPBB 3.0 when it comes out and will make my decision in whether or not to eliminate PHPbb as a forum utility for my hosting customers.

    It is the hosts that get hammered of abuse from our clients, because they got hacked by an exploit due to sloppy code.

    To those stating we should not be banning PHPbb, a host is entitled to make whatever decision they would like, to keep the security of their servers as tight as possible.

  38. #38
    Join Date
    Apr 2001
    Posts
    2,588
    Originally posted by SlAiD
    Hum... just a question.
    If cPanel have a lot of bugs NOW, do you bann cPanel/WHM too (or Plesk)?
    \m/

    This bug's is ONLY because many many many users dont update they foruns.
    And i cant understend why many teams give "time" to this phpBB Bugs. phpBb is free for all, what is the interess to f*ck it?
    Free code, free support, all free!



    PS: AwStats is stable now? I use it... :$
    I'm not saying that I agree with hosts that want to ban the use of the software on their servers, that's their problem.

    Your use of cPanel as an example not only shows your lack of proper understanding of the situation, but is their really any need to bash such software in order to gain the respect for which you seek?

    What "bugs" are these you speak of ? Have their been any recent worms regarind cPanel itself ? Have their been any major user compromises because of cPanel itself ? Not as far as I know.

    Purposefully bashing a piece of software because of heresay, does nothing for your cause at all, and will earn you very little respect from the community or potential hosts that might consider you a "spokesperson" for the software ( official or not ).

    </end my 5 cents>

    Now.. to get back on topic. I think that phpBB is an excellent piece of software, and a large part of the reason why these issues make so much of a fuss is because..

    It's used quite extensively due to the fact that it is now one of, if not the most popular FREE alternative to the alternative paid solutions.

    With a large userbase, comes a large base of users that will want to exploit the vulnerabilities within the software. That said, there have been some extremely shocking vulnerabilities found within the software, that should not have been overlooked before putting it into the public domain.

    They need to put the developement of a new version on the backburner and focus on working on the issues within the current version before pushing out another piece of software that might suffer the same fate.

    </ok thats 10 cents now>

    Edit: Quoted the right post this time

  39. #39
    Join Date
    Jan 2002
    Location
    Boston
    Posts
    5,010
    I banned Yabb a few years back after 2 or 3 exploits in a months time and since then I have learned that you just can not ban scripts but rather look for resolution to the problem and do your best to keep things up dated.

    I email all outdate PHPBB scripts sites/resellers and give them 72 hours to update or the site is suspended (only forum portion) and it seems to work out much better and had many clients getting on the ball with the way things are updated and paying a little more attention to update etc. It also make them realize that setting up any script even if you have fantastico installed does not mean you can simply install the script and never have to do any updating every again.

    My job is to keep the server secure and running, my clients job if they choose to run a script on any site is to make sure it is updated as needed and I have no problem letting them know when that time comes if I have to.

    Hopefully we will see some improvements in v3, I really hope so but as far as I can see banning PHPbb is probably going to have a big effect on your customers if you go and ban it now.

  40. #40

    I agree

    Originally posted by OKI-Paul
    I banned Yabb a few years back after 2 or 3 exploits in a months time and since then I have learned that you just can not ban scripts but rather look for resolution to the problem and do your best to keep things up dated.

    I email all outdate PHPBB scripts sites/resellers and give them 72 hours to update or the site is suspended (only forum portion) and it seems to work out much better and had many clients getting on the ball with the way things are updated and paying a little more attention to update etc. It also make them realize that setting up any script even if you have fantastico installed does not mean you can simply install the script and never have to do any updating every again.

    My job is to keep the server secure and running, my clients job if they choose to run a script on any site is to make sure it is updated as needed and I have no problem letting them know when that time comes if I have to.

    Hopefully we will see some improvements in v3, I really hope so but as far as I can see banning PHPbb is probably going to have a big effect on your customers if you go and ban it now.
    I totally agree with OKI.

    Although banning would be the easiest solutions to allot of problems it is still overkill and not necessary. Like OKI said make sure you stay on top of your clients (I know this is not fun having to watch over clients like children) to make sure they wipe their behinds good.

    You banning phpbb would be like the USA when it bombed Hiroshima. It was easier for the USA to do so but it was wrong and overkill. Went against all morals and it is frowned upon even by Americans. Don't make a rash decision just because something is easier one way.

    Take the hard road and make sure to stay on top of things with your clients and be more involved. Don't be a host that sits back taking money but not adding any valuable support involvement.

    Sorry for the rant but it seems that hosts are willing to sit back and take on clients but not allow them to install software just because it has some bugs. They could just as easily help make it better or their own version (phpbb is open source).

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •