PHPBB security issues

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
SpudDogg
Registered User
Posts: 22
Joined: Thu Mar 16, 2006 3:35 am

PHPBB security issues

Post by SpudDogg »

I hear a lot of things about security issues with phpBB and even hear of some people changing over to other boards. Does anyone have any insight on this? Experiences?

Any help would be greatly appreciated.
Thanks!
User avatar
Nephrus
Former Team Member
Posts: 1178
Joined: Sat Oct 19, 2002 4:05 am
Location: Vancouver, Canada
Contact:

Post by Nephrus »

This happens because people do not update their board when new versions come out (and it happens regardless of what forum platform you're on) or they have they a poorly configured webserver or unstrustworthy admins.

Security issues are handled fairly quickly and if you are attacked, we do have many ways of getting you up and running and finding out what happened.
[ Zelda Planet - nephrus.net - phpBB Userguide - phpBB Knowledge Base - phpBB.com Forum Rules ]
ABSOLUTELY NO support via PM/IM/email or I'll get a cow to sit on you
SpudDogg
Registered User
Posts: 22
Joined: Thu Mar 16, 2006 3:35 am

Post by SpudDogg »

When you say "fairly quickly" do you mean within hours? Or days? I have been using phpBB for a long time and have never had an attack of any kind, and I really like the the operation of the board. The real selling point for me is this community. I know you guys will take care of any problems, but remember, I have a board right now that is growing VERY quickly, and I don't even want this thing to go down for a few hours. Maybe I'm just being paranoid, but whatever.
Parish
Registered User
Posts: 1
Joined: Mon May 22, 2006 12:09 am

Post by Parish »

Nephrus wrote: This happens because people do not update their board when new versions come out (and it happens regardless of what forum platform you're on) or they have they a poorly configured webserver or unstrustworthy admins.

Security issues are handled fairly quickly and if you are attacked, we do have many ways of getting you up and running and finding out what happened.

So what will you say about army of bots invading phpBB forums all over the world? These bots bypass CAPTCHA and can "click" activation links to register themselves. See memberlist http://www.phpbb.com/phpBB/memberlist.php
Users bdsmmm, PreveDMedveD, highlanderr (maybe more) are bots!
safe_reader
Registered User
Posts: 105
Joined: Sun Apr 10, 2005 11:10 am

Post by safe_reader »

I once got hacked by Turkish Hackers...

Another time, (this is a familiar case), just about everyone who had a phpBB forum on IPowerWeb (a host provider) had their forums compromised and had to be trashed. This was due to a worm which actualy got on the inside of their servers and affected the whole network. I remember this one in detail, caues if you look back you'll find 100 post threads on all moderators with IPowerWeb who were repeatedly told that the attacks were coming from the outside. Took the provider almost 2 weeks before they realized it was their own infected servers causing the problem!

Funy to bring this up, as they are having technical problems again as I write this...
User avatar
Nephrus
Former Team Member
Posts: 1178
Joined: Sat Oct 19, 2002 4:05 am
Location: Vancouver, Canada
Contact:

Post by Nephrus »

SpudDogg wrote: When you say "fairly quickly" do you mean within hours? Or days? I have been using phpBB for a long time and have never had an attack of any kind, and I really like the the operation of the board. The real selling point for me is this community. I know you guys will take care of any problems, but remember, I have a board right now that is growing VERY quickly, and I don't even want this thing to go down for a few hours. Maybe I'm just being paranoid, but whatever.

Depends on how fast you bring it to phpBB's attention and the type of attack. You must also remember that this is a free service: we all have jobs, lives and other commitments. The phpBB group takes security as it's top priority and will do it's best to address every situation in a quick and efficient manner to get you back up and to make sure it is not replicated.

Parish wrote: So what will you say about army of bots invading phpBB forums all over the world? These bots bypass CAPTCHA and can "click" activation links to register themselves. See memberlist http://www.phpbb.com/phpBB/memberlist.php
Users bdsmmm, PreveDMedveD, highlanderr (maybe more) are bots!

Bots don't hack forums. At most, bots are an annoyance and not a security threat.
safe_reader wrote: I once got hacked by Turkish Hackers...

Another time, (this is a familiar case), just about everyone who had a phpBB forum on IPowerWeb (a host provider) had their forums compromised and had to be trashed. This was due to a worm which actualy got on the inside of their servers and affected the whole network. I remember this one in detail, caues if you look back you'll find 100 post threads on all moderators with IPowerWeb who were repeatedly told that the attacks were coming from the outside. Took the provider almost 2 weeks before they realized it was their own infected servers causing the problem!

Funy to bring this up, as they are having technical problems again as I write this...

Hosts that have phpBB setup for users to register to create forums are not a standard phpBB product. If their server setup is not properly done or they are using an outdated version with outdated MODs, or whatever, there is a significantly increased risk of an attack.
[ Zelda Planet - nephrus.net - phpBB Userguide - phpBB Knowledge Base - phpBB.com Forum Rules ]
ABSOLUTELY NO support via PM/IM/email or I'll get a cow to sit on you
User avatar
dannymichel0101
Registered User
Posts: 24
Joined: Tue May 15, 2007 6:35 am

Re:

Post by dannymichel0101 »

Nephrus wrote: This happens because people do not update their board when new versions come out (and it happens regardless of what forum platform you're on) or they have they a poorly configured webserver or unstrustworthy admins.

Security issues are handled fairly quickly and if you are attacked, we do have many ways of getting you up and running and finding out what happened.
Honestly I've been a VBulletin user for many years now. I was THIS CLOSE to switching to PHPBB recently.
A friend of mine told me that PHPBB was THE MOST unsecure forum software out there.
I did some research on this and A LOT of people seemed to confirm this.
I really just don't know.
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Re: Re:

Post by karlsemple »

dannymichel0101 wrote:
Nephrus wrote: This happens because people do not update their board when new versions come out (and it happens regardless of what forum platform you're on) or they have they a poorly configured webserver or unstrustworthy admins.

Security issues are handled fairly quickly and if you are attacked, we do have many ways of getting you up and running and finding out what happened.
Honestly I've been a VBulletin user for many years now. I was THIS CLOSE to switching to PHPBB recently.
A friend of mine told me that PHPBB was THE MOST unsecure forum software out there.
I did some research on this and A LOT of people seemed to confirm this.
I really just don't know.

Again this is down to people who do not what they are doing not updating correctly or installing out of date insecure mods to the forum. As part of the Incident Investigation Team I see so many people reporting hacked boards which they claim are up to date, upon investigation however it turns out they are not. As stated earlier phpBB is as secure if not more secure than other forum software, security patches are released extremely quickly if they are needed.

Another issue which is often a problem is the amount of lazy people who use Fantastico which is part of their hosting package to install phpBB, this horrid tool often installs damaged or partially out of date software which often leads to security issues.

The bottom line with phpBB is if you keep up to date, do not install and dodgy mods and install as per the instructions on this site (no fantastico or port install) you will be as secure as you possibly can be.
Image
Locked

Return to “2.0.x Discussion”