The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHPBB security issues

Discussion in 'Security' started by Wallaby, May 1, 2006.

  1. Wallaby

    Wallaby Well-Known Member

    Joined:
    Aug 15, 2001
    Messages:
    131
    Likes Received:
    1
    Trophy Points:
    18
    Hi all,

    Like many we have been affected on more than one occasion by security issues with PHPBB. It appears that even when the application is "known" to WHM and we assiduously keep all instances up to date, security compromises still occur. In addition there's the problem of locating and updating instances of PHPBB that have not been installed through CPanel. It's a real pain in the whatever.

    I'm at the "enough is enough" point with this application, so we are planning to discontinue support for PHPBB, take it out of the list of installable scripts on our servers, and instruct all customers to remove it from their accounts. I have a few queries:

    1. Has anyone else done the same, and how much customer aggro did you get?

    2. Is there any secure forum script/app which can import an existing PHPBB forum somehow?

    3. Is there an easy way to discover all instances of PHPBB on a server, whether installed through CPanel or not?

    Tks in advance.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sounds like a very good idea, phpBB seems to be as leaky as a sieve.

    I can help with 3.:
    http://www.cplicensing.net/files/scripts/chkphpbbver

    Set:

    $current_version = '20';

    Or higher to catch all installs.

    With 2. You might want to look at SMF (http://www.simplemachines.org/) I just checked their forums and you can import phpBB2 into SMF, though it's not something I've personally played with.

    As for 1. well, it's in their interests that the server stays secure too - it's usually about finding ways to seel an idea to clients, rather than making them feel it's an imposition.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    As far as SMF goes, it is not any better than PhpBB. Some of our clients had serious security issues with SMF. YaBB is another forum to stay way from. It is terrible, security wise.
     
    #3 AndyReed, May 1, 2006
    Last edited: May 1, 2006
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes and had zero complaints. Actually had thank yous instead for showing a better solution.
    SMF & Vbulletin are both fine forums with importers. I've converted many without a problem.

    Andy... :eek:
     
  5. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    I use SMF on one site which used phpBB before. So far so good.

    How to import phpBB to SMF? Well there is converter but for SMF ver 1.0.x. So first you have to install 1.0.x SMF, import phpBB and then upgrade to SMF 1.1 which is great.

    One option that I like in SMF - if there is security update it's displayed in admin section and you can apply patch from there with two clicks.


    Andy - can you describe those security problems with SMF? I searched a bit and found only few reports about hacked SMF.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I hate to bust everyone's bubble but I know more ways to hack SMF than phpBB!

    Lately we have been playing around with MyBB (www.mybboard.net) and have had
    reasonably good success and it is a lot more configurable security wise than
    either phpBB2 or SMF as well as more pre-installed features.

    The first thing we do with any program at my office is rip it apart and read every
    line of code and see how it works and what needs to be re-written for better security.
    Overall, MyBB has shown to be the most promising security wise. However, just as I
    say that there is a new security advisory just released for MyBB on Secunia but it's a
    minor issue by comparison to what you find in the other forum programs --
    MyBB just forgot to sanitize some variables in one particular file ... easy fix.

    My only major concern for MyBB is in the distinct lack of convertors to and from
    other boards and MyBB which is something that could hold it back despite general
    better security minded code writing.

    Back on phpBB2, since most all the known exploits are URL based exploits, it's very
    easy to stop the hacking of phpBB2 boards with simple mod_security rules.
    If you like phpBB2, there's no reason to stop using it but you should probably
    make some security tweaks to protect from hacking if you are using that one.

    As far as SMF goes, sorry but I haven't found an easy universal global fix for all
    the wide open security problems for that one yet.

    For those thinking of making the jump to commercial forums and looking at IPB,
    I hate to be the sour puss and bearer of bad news but IPB has way more problems
    than either phpBB2 or SMF. If you are going to look at commercial, I'd probably
    lean more with vBulletin.

    If you get down to the bottom line though, there is going to be security issues
    in any forum program you go with. The questions that remain are that of which
    program has the lowest number of programs and is quickest to release new fix
    updates when problems are detected?

    Hope this helps ....
     
    #6 Spiral, May 2, 2006
    Last edited: May 2, 2006
  7. Wallaby

    Wallaby Well-Known Member

    Joined:
    Aug 15, 2001
    Messages:
    131
    Likes Received:
    1
    Trophy Points:
    18
    Thanks everyone for the feedback and ideas. Looks like we're following a sensible course.

    I'm leaning towards recommending PHPBB users switch to VBulletin: how's that security and stability-wise? It does seem to be very popular with "serious" forum users. I know it's commercial, but you do sometimes get what you pay for!
     
  8. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    I really don't know how you can prove this.

    I searched a bit, ie Secunia which you mentioned and have found this

    http://secunia.com/product/5285/


    One maybe stupid but interesting argument...

    google results for:

    vbulletin hacked 1,000,000+
    phpbb hacked almost 2,000,000
    smf hacked 66,000



    I'd like to hear more about SMF sec problems. Please send me PM if you don't want to post this public.
     
  9. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    and what would be the realistic proportion of usage for all of those ?

    i would say

    80% phpbb
    10 % vbulletin
    and the rest of the forum softwares are the other 10%

    so i guess its all very relative , isnt it
     
  10. MarcoH64

    MarcoH64 Member

    Joined:
    Oct 4, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    That is not a very reliable statistic. You have found Google indexed pages that contain 1 or more of the words "SoftwareName hacked". This could contain both pages that contain "SoftwareName can not be hacked", "SoftwareName can be hacked", as all other combinations or meanings like:
    - Hacked can also mean that there is a pirated copy of the software mentioned. IE no security risk for a legit user.
    - Hacked is in some communities also used as "modified". Any change or addon to the standard software is considered a "hack".

    The only thing that you should investigate is:
    - How often are security issues reported?
    - How serious are they
    - How many sites effected
    - How fast are security vulnerabilites repaired
     
  11. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    As I said in my post this was stupid argument :)


    Also have you take a look at Secunia and some other security sites? Did you use their search with string SMF or simple machines? I've got about 3-4 results.

    Difference between security issue and patch was 2-3 weeks.
     
  12. xnull

    xnull Well-Known Member

    Joined:
    Sep 9, 2001
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    I'm sorry, but you must not have taken a look at YaBB in the last year. It is by far one of the most secure forums out there, with new security tools and spam-fighting tools coming out all the time. YaBB used to be insecure, but so were all the other systems. Check out YaBB 2.1. I think there's a reason the cPanel developers created a YaBB installer addon for cPanel and has begun considering the phase out of the phpBB installer ;)
     
  13. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    No, I didn't.

    Sounds great :) Thank you for the update. I'll definitely share your information with our clients.
     
  14. zenpig66

    zenpig66 Active Member

    Joined:
    Nov 16, 2002
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    It's like that new Mac commercial where the Mac guy is harping on the PC guy over all the viruses the PC needs to defend against. Reality is that no one writes viruses for OS's that no one uses....don't mean this as a Mac/PC war but the truth is that if one wants to cause the most disruption one doesn't target a Mac because of it's relative lack of use in the computing world. That point has already been stated in this thread I think but this is just another way of putting it.

    I've played with SMF and don't find it any better than phpBB security-wise and functionally they are pretty much on par. I can guarantee you, though, that when a phpBB security alert comes out all the other developers are rushing to see if they are vulnerable to the same...many of these boards including vBulletin are actually very similar in many areas. There has been quite a few times lately where there has been the misconception that a security issue only related to phpBB because of misinformed hype or it was simply first utilized against the most popular board in use. Just saying that before one gets too down on phpBB that I'm actually suprised it can weather what I'm sure are constant probes and deconstructions into potential weaknesses.

    that's my min-sorta-rant :)
     
  15. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Thanks a lot!
    But I have a question to ask, is there a way that you can edit the phpbb script and avoid it install the hacker's script into your /tmp ?
    Cause some phpbb scripts our clients installed might intergrated with other scripts and can not upgrade to newer version easily.
     
  16. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    An easy thing to do (although it may cost you) is to get a server admin to lockdown your /tmp to prevent executing files from within.
     
  17. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    You mean chmod of /tmp ?
     
  18. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    No, it's not as simple as a chmod of /tmp - if you do that you'll break the universe.

    Unfortunately for your client's sake, they'll need to upgrade their phpBB, sorry, but there's just no other way long term. You could buy a little more time with mod_security but you'll still need them to upgrade.
     
  19. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page