phpBB is continuing its process of opening up the development process. After an internal trial phase we have now opened up the Junior Developer Team to regular members of our community. An increasing amount of people involved in phpBB development should both speed up the development and improve quality.
Blog
Posts Tagged ‘Development’
phpBB 3.0.6 plans
Here we are. phpBB 3.0.5 got released and work on phpBB 3.0.6 began. Previously, we concentrated on fixing bugs and only introduced tiny new features. This time, phpBB 3.0.6 will be a “feature” release, packed with numerous new, cool, stunning, breath-taking… err, just new features. 
We will now tell you which new features are planned for 3.0.6 and what style authors and modders need to take care of.
Tutorial: Injection Vulnerability Prevention
Notice
Some websites have claimed this article discloses an “injection vulnerability” in phpBB. It does not. What this post actually does is provide an overview of vulnerabilities commonly introduced by third-party modifications to phpBB and discusses what the authors of said modifications need to do to protect their code against attack.
Despite being among the easiest of vulnerabilities to understand, injection vulnerabilities are also among the most common. For most users, they will simply manifest themselves as an error when select characters are used, but a sufficiently adept user may be able to take that error and exploit it to their advantage.
To prevent this from happening, one needs to properly sanitize all user definable variables. Unfortunately, the way one properly sanitizes a variable depends on where it’s being used. In this post, we’ll discuss how to sanitize variables for use in SQL queries and in HTML, in general and in phpBB3, and we’ll discuss what can happen if proper sanitization isn’t used.
Fighting CSRF
Cross-Site-Request-Forgery, short CSRF, is a type of vulnerabilities that gets more and more attention. The concept can be translated as “tricking the browser into automatically performing some action using the user’s privileges”. Let’s see what phpBB does about it.
Londonvasion Re-Cap – phpBB Ascraeus
Hi,
I think it is time to write about the presentations we (the developers) gave at Londonvasion revealing the planned features in the upcoming version of phpBB – codenamed Ascraeus.
Please do not take anything mentioned within this blog post as guaranteed. There may be changes, some things may not evolve at all, some may be changed completely. But yeah, this is the current state of planning.
“Exploits from the crypt – let’s put them back”
Yes, it is no secret that phpBB’s reputation regarding security has not yet recovered completely. We take every report about possible vulnerabilities seriously and are deeply grateful about reports on our security tracker. We give full credit for all undisclosed valid reports made on our trackers.
Even if one is not sure about what happened, the nice guys from the Incident Investigation Team will help you figure it out. If in doubt: report.
The things floating on the web and frequently washing up in our tracker are usually not valid, however. Ready for the fun? Here comes the first installment of “Exploits from the crypt”: