Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : PHPBB Well secure

[Biju]

I just wanted to post this down, because many think that PHPBB is not secure.

the most secure more board is phpbb and next is only VB ( for now ), pre it was hacked because of a hole by which a unknown person can access the DB as well as some important files in server.

The reason was the file was CHMOD to 777 ( that is giving all permissions to do ), that is why many geeks say that it is not often secure to CHMOD.

Next i saw a lot of threads stating that PHPBB V2.0 was released back on 2002, but there is no update still now, the next version of PHPBB3.0 is soon be released and it will match the features of IPB2.0 and VB 3.0

why did they not release yet??

The answer is simple, when the board was hacked, the only intention to the team was to make the board much secure and it is now as they did.

if they had released , people using their board may be under a difficult situation where either to loose the current board with ( no secure + lot of hacks + templates ) to an unknown version with different coding styles.

So the PHPBB team is making the V2.0 well secure and they would release the ver3.0 soon.

So my final thoughts, please do not say PHPBB is not secure anymore.

Regards.

[GoTek-JP]

I know ub3r absolutely hates PHPbb and I bet you $5 he will post in this thread.

[8inet-Johnathan]

Quote:

Originally Posted by J-P

I know ub3r absolutely hates PHPbb and I bet you $5 he will post in this thread.

care to make it 10$?

[Biju]

Quote:

Originally Posted by johnathans

care to make it 10$?

Who is he, i am a big fan og PHPBB and lets see who wins.

[8inet-Johnathan]

ub3r would be one mike bailey (i belive) his blogs at http://imikey.com

[Fulk]

AFAIK, OCbb is something towards so long expected PHPBB v3.

As for the PHPBB security, there are secured PHPBB-based forum scripts, such as CBack's Orion and PHPBBXS (which is abbreviation for "PHPBB Xtreme Security"). I have heard there are several mods for adding security to "conventional" PHPBB.

Also, there is one simple yet useful trick: removing the mark that shows what PHPBB version is running from the bottom of the page.

[Mighty]

Versioning has been removed from the footer for several versions now. It is completely secure as long as you apply scheduled updates. IMO ocbb is just another knock off project, Olympus once stable will be quite comparable to VB. While the stable project release keeps getting pushed back, it has been making significant progress lately.

[ub3r]

Quote:

The reason was the file was CHMOD to 777 ( that is giving all permissions to do ), that is why many geeks say that it is not often secure to CHMOD.

It being chmod 777 has nothing to do with the problem.

1) Attacker isn't going to be able to see the file if they just go to yoursite.com/yourforum/config.php, they're not going to see it. Why? Because It's just a php file, which declares variables, and no variables are echoed to the browser.

2) The only way you are going to see config.php is if you exploit another part of the website. It could be your CMS, it could be another part of phpBB. phpBB must have access to the config.php file in order to function. Every time you access a page, config.php is looked at, and then mysql connections are made based on the data in config.php. phpBB must have access to config.php. The only way to prevent John Q. Public from accessing config.php is to chmod it to 000, but if you do that then phpBB won't function.

3) Chmod 777 only gives read/write/execute access to other users on the system. Depending on apache configuration, you're probably going to be running as the "nobody" user. If a script is exploited, then that exploit is being carried out by the nobody user. While it is a good idea to chmod from 777 to 755, to prevent nobody from writing to config.php, he's still going to be able to read, and execute it. Again, you're not giving the internet access to config.php.

4) My last point did not cover point did not cover systems that run phpsuexec instead of mod_php. If you run phpsuexec, then scripts aren't being executed by nobody. They are executed by the website's account on the server. So, chmod 777 won't change anything. Actually, i think phpsuexec requires chmod 755 instead of 777, or it throws back an internal server error.

But chmod 777.. That only gives the attacker access to read/write/execute access to config.php. If you chmod it to 755, they can still read it. 644, phpbb stops functioning, because nobody can't execute it.. i think.

Quote:

It is completely secure as long as you apply scheduled updates.

That's some great microsoft logic there. If no patch exists, there is no hole.

[Mighty]

well no software is 100% secure, all software requires patching/updating.

thats not microsoft logic, it's computer science.

[ub3r]

Quote:

well no software is 100% secure, all software requires patching/updating.

Here's my software:

PHP Code:

<? echo "hello"; ?>

Exploit it.

[WHTer]

Nobody wants to exploit a code that's useless.

I find myBB to be more secure than phpBB as far as free discussion forums go.

[ub3r]

Quote:

Originally Posted by WHTer

Nobody wants to exploit a code that's useless.

I will give you $8 if you can exploit my code.

[WHTer]

There's nothing to exploit. It does nothing but display text. There's no function to it.

[ub3r]

There's no function? Okay.

PHP Code:

<? 
        function hello(){
                echo "hello";
        }

        hello();
?>

There's the function. Exploit it.

[WHTer]

Oh, sorry I don't know php.