Recently we got many bug reports about problems with the IE8 beta browsers. The problem is that we cannot accommodate beta browsers in our software - the next beta will break our adjustments. But why have we chosen to include some other IE8 features? The answer is simple: security
This post will give you insights into one of the more obscure security implications of file uploads.
Blog
Archive for the ‘Development’ Category
Attachment Headaches with the Internet Explorer
Londonvasion Re-Cap - phpBB Ascraeus
Hi,
I think it is time to write about the presentations we (the developers) gave at Londonvasion revealing the planned features in the upcoming version of phpBB - codenamed Ascraeus.
Please do not take anything mentioned within this blog post as guaranteed. There may be changes, some things may not evolve at all, some may be changed completely. But yeah, this is the current state of planning.
The phpBB Code Wiki - How you can help
If you have not yet read the phpBB Wiki Announcement or have not followed the discussion topic. I would encourage you to do so and take a look at the new development wiki:
http://wiki.phpbb.com
What is a Wiki and what can I do with it?
A Wiki is a type of website that allows the users and visitors to add, remove, and edit the available content. — Anyone who is interested in working with the phpBB Codebase, from website administrators who want to integrate phpBB into their site, or create a quick-script, to bridge or application developers to bridge phpBB with their application, to MOD Authors. The wiki is for those who want to learn more about the phpBB Codebase or simply have a question about how to do something or how something works within phpBB.
The wiki is also a great way to learn about how to begin programming in PHP/phpBB and developing a MOD.
CAPTCHAs in phpBB
CAPTCHAs - “Completely Automated Public Turing test to tell Computers and Humans Apart”s - are known as the foremost means to stop registrations by SPAM programs, so-called “Bots”. In phpBB, a visual confirmation CAPTCHA is used.
The key here is the “Completely Automated” part, meaning that the software - phpBB - creates the question and the correct answer without interaction by a user. This has the drawback that computers are usually able to find the answer as well, given time to adjust. This is an active field in research. In the end it is an arms race. A new CAPTCHA will usually buy a few months of peace, before the major Bot vendors adjust their products.
This article is about presenting some reasons behind our CAPTCHAs; it is not intended to be a case for or against CAPTCHAs in general or particular. It is not about other means to combat SPAM, but only about CAPTCHAs.
The Changing Demographics of Open Source Software
When I was more active in the support forums, it seemed like phpBB users were primarily made up of teenagers looking to set up their first dynamic website on Lycos or other free hosts — there were even knowledge base articles on how to make phpBB2 work on those hosts.
I had thought of OSS projects as the domain of teenagers and college students. A hobby people give up for full-time jobs later in life. So I was a bit surprised when I asked NeoThermic, keeper all statistics and Support Team Leader, the average age of a phpBB Team member. It is about 28.4 years (with a very large standard deviation of eleven and three quarters). This could be due to a relatively low churn rate. Many team members have been with us for many years.
But, it seems to me that phpBB’s audience is aging as well. It is less common to see someone trying to set phpBB up on a free web host.
I’m not saying this is a good or a bad phenomenon. I do think a board is better off when it is operated by a dedicated administrator with resources at his or her disposal. Resources pay for high quality hosting, for instance.
However, I’m not sure this is unique to phpBB. Many of the contributors to other large OSS projects like phpMyAdmin have been doing so for many years. But I’m curious whether anyone else has noticed the maturing of the people who contribute to open source projects.
I believe that Joomla! has noticed, because they are recruiting students. Google has done the same, with their Summer of Code the past several years.
Templating just got easier
One of the advantages of a face-to-face meeting is that feature requests and feature discussion can be much more effective; at least if it is about minor window dressing as opposed to huge changes. To curb the wave of requests right here: you should have been there, the opportunity has passed 
. People watching the SVN repository may know already: there were some major changes in the past two weeks. A lot is moving right now in the active branches, but that’s for future posts.
Today it is a great pleasure for us to unveil a new feature for the 3.0 branch, to be released with 3.0.3: Template Inheritance.
Things we took from London
Londonvasion was the first ever in much more than one sense. For the first time:
- people from all over the world and with different backgrounds assembled to talk about our baby - phpBB.
- a large part of the phpBB group assembled in one room.
- almost the entire development team met face to face.
So what did we take from London?
Lots of feedback from the people who use phpBB. Noth gave a heart-warming presentation about it working, and Andy Miller presented his plans around phpBB. We heard a lot about the tiny things that the community finds irritating, illogical or or just not working as they should. It was fascinating to have members from both the Joomla! and Drupal communities adding their respective viewpoints.
What will we do with it?
Well, we sat down, debated things, designed features, came up with solutions, considered scalability - in short the things that are only possible with the developers assembled in one room.
What will be result?
Well, there will be code. There will be improvements to existing features and other new features which people asked for to solve various problems they were encountering.
Thanks to all the people who gave us feedback, wishes and participated in the very fruitful discussions.
“Exploits from the crypt – let’s put them back”
Yes, it is no secret that phpBB’s reputation regarding security has not yet recovered completely. We take every report about possible vulnerabilities seriously and are deeply grateful about reports on our security tracker. We give full credit for all undisclosed valid reports made on our trackers.
Even if one is not sure about what happened, the nice guys from the Incident Investigation Team will help you figure it out. If in doubt: report.
The things floating on the web and frequently washing up in our tracker are usually not valid, however. Ready for the fun? Here comes the first installment of “Exploits from the crypt”:
