Why isn't security taken seriously by the PHPBB team?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
anlar
Registered User
Posts: 6
Joined: Sun May 18, 2003 3:36 pm

Why isn't security taken seriously by the PHPBB team?

Post by anlar » Sat May 08, 2004 9:37 pm

I am just wondering why do we have to resort on 3rd party patches for the found vulnerabilities, why is phpbb team not answering the reports or fixing the found problems?

Then phpbb team dares to whine "thanks for not telling us before posting to bugtraq" when they have first ignored the issues for couple months.

Really. At least I would like a real, thoughtful statement and a policy from the team. That they will really comply with.

And yes, fix some of the known and suspected problems while at it. :D

imagedude
Registered User
Posts: 296
Joined: Wed Sep 25, 2002 10:28 pm
Location: /home/kai
Name: Kai Ponte
Contact:

Post by imagedude » Sat May 08, 2004 9:52 pm

I may seem a bit niave here, but what exactly are you referring to? Can you provide some examples of where they didn't respond? Can you provide examples of where we were forced to use a 3rd party patch? I haven't seen any of this yet.

Remember, security testing and patching is one of the most difficult portions of software development. As an example, my company has a security model in place which seems to have been working for many years. We've tested it extensively, upgraded it as needed and integrated as much as possible hardware and or address restrictions (including MAC addresses and LTERM information)...

...on Thursday, I found a major hole. I was doing work on one of our apps and ran across a procedural sequence we had never encountered. Suddenly the test user login I was utilizing (a low-level user) was able to create system admins. (Oops!) Of course I was doing the work on our development servers so there was no harm done, but I immediately sent off the warning to our systems development team, who had been given the responsiblity to maintain the security appratus.

Darth Wong
Registered User
Posts: 2398
Joined: Wed Jul 03, 2002 5:20 am
Location: Toronto, Canada
Contact:

Post by Darth Wong » Sat May 08, 2004 10:27 pm

Please name the 3rd party patches which are required to secure phpBB. I'm curious.
Not a three-foot tall green gnome in real-life: My home page.
My wretched hive of scum and villainy: http://bbs.stardestroyer.net/

User avatar
ThE-UnknowN
Registered User
Posts: 148
Joined: Wed Oct 10, 2001 8:23 am
Location: In your Computer
Contact:

Post by ThE-UnknowN » Sat May 08, 2004 10:30 pm

Darth Wong wrote: Please name the 3rd party patches which are required to secure phpBB. I'm curious.


So am I, actually.
http://www.chatvenue.com is finally taking shape.

jasonla
Registered User
Posts: 87
Joined: Tue May 21, 2002 11:13 pm
Location: Santa Barbara, California, USA

Post by jasonla » Sat May 08, 2004 11:24 pm

Yeah... an example of one of these security patches from 3rd parties would be interesting.

da_badtz_one
Registered User
Posts: 376
Joined: Thu Jan 29, 2004 8:25 pm

Post by da_badtz_one » Sat May 08, 2004 11:28 pm

Yeah me too...

Pezzoni
Registered User
Posts: 706
Joined: Sat Nov 16, 2002 8:25 pm
Contact:

Post by Pezzoni » Sun May 09, 2004 3:06 pm

I'll join the party too ;)

Dan

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Sun May 09, 2004 4:50 pm

I say we wait and see if Anlar's bluff was called successfully.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

Darkness22k
Registered User
Posts: 21
Joined: Fri Apr 11, 2003 3:01 am
Location: Seattle, Washington
Contact:

Post by Darkness22k » Sun May 09, 2004 5:44 pm

I know of 1 on bugtraq posted a few weeks ago, I believe. It hasn't been fixed (no news about it at least)

http://securityfocus.com/bid/10170
-Darkness22k

imagedude
Registered User
Posts: 296
Joined: Wed Sep 25, 2002 10:28 pm
Location: /home/kai
Name: Kai Ponte
Contact:

Post by imagedude » Sun May 09, 2004 7:56 pm

Oh, wait - stop the presses - someone who can spoof an IP may be able to fool PHPbb? Oh no! That's way too insecure for me.

From now on, I'm gonna put my PHPbb system on a stand-alone computer with no network address no floppy and no modem. People who want to post messages will need to physically come by and do so.

There that should do it.

Hmm, maybe I should see if NetBIOS is more secure - it's routable, right?

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Sun May 09, 2004 8:14 pm

Darkness22k wrote: I know of 1 on bugtraq posted a few weeks ago, I believe. It hasn't been fixed (no news about it at least)

http://securityfocus.com/bid/10170
Watching CVS of any project you are involved with to any degree is really a good idea. Why do I say that? Because look at this commit:
Update of /cvsroot/phpbb/phpBB2
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12362

Modified Files:
Tag: phpBB-2_0_0
common.php
Log Message:
Various changes to further combat the idiots and dickheads out there using daddy's computer

Index: common.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/common.php,v
retrieving revision 1.74.2.10
retrieving revision 1.74.2.11
diff -C2 -r1.74.2.10 -r1.74.2.11
*** common.php 4 Jun 2003 17:41:39 -0000 1.74.2.10
--- common.php 21 Apr 2004 12:18:02 -0000 1.74.2.11
***************
*** 9,13 ****
* $Id$
*
- *
***************************************************************************/

--- 9,12 ----
***************
*** 26,32 ****
--- 25,66 ----
}

+ //
+ function unset_vars(&$var)
+ {
+ while (list($var_name, $null) = @each($var))
+ {
+ unset($GLOBALS[$var_name]);
+ }
+ return;
+ }
+
+ //
error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

+ $ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var';
+
+ // Unset globally registered vars - PHP5 ... hhmmm
+ if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
+ {
+ $var_prefix = (phpversion() >= '4.3.0') ? '' : 'HTTP';
+ $var_suffix = (phpversion() >= '4.3.0') ? '' : '_VARS';
+
+ if(is_array(${$var_prefix . '_GET' . $var_suffix}))
+ {
+ unset_vars(${$var_prefix . '_GET' . $var_suffix});
+ }
+
+ if(is_array(${$var_prefix . '_POST' . $var_suffix}))
+ {
+ unset_vars(${$var_prefix . '_POST' . $var_suffix});
+ }
+
+ if(is_array(${$var_prefix . '_COOKIE' . $var_suffix}))
+ {
+ unset_vars(${$var_prefix . '_COOKIE' . $var_suffix});
+ }
+ }
+
//
// addslashes to vars if magic_quotes_gpc is off
***************
*** 107,110 ****
--- 141,145 ----
$images = array();
$lang = array();
+ $nav_links = array();
$gen_simple_header = FALSE;

***************
*** 127,156 ****
// Obtain and encode users IP
//
! if( getenv('HTTP_X_FORWARDED_FOR') != '' )
! {
! $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
!
! $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
! reset($entries);
! while (list(, $entry) = each($entries))
! {
! $entry = trim($entry);
! if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
! {
! $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
! $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
!
! if ($client_ip != $found_ip)
! {
! $client_ip = $found_ip;
! break;
! }
! }
! }
! }
! else
! {
! $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
! }
$user_ip = encode_ip($client_ip);

--- 162,171 ----
// Obtain and encode users IP
//
! // I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
! // private range IP's appearing instead of the guilty routable IP, tough, don't
! // even bother complaining ... go scream and shout at the idiots out there who feel
! // "clever" is doing harm rather than good ... karma is a great thing ...
! //
! $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
$user_ip = encode_ip($client_ip);
Now, please do not make me regret leaving this unlocked. Otherwise the consequences will be quite severe.

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Sun May 09, 2004 8:56 pm

So that issue has been addressed, but it has not released yet?
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator » Sun May 09, 2004 9:49 pm

I am thinking that it has not been released is becuase it is not a huge security issue. Maybe I am not thinking right but if someone wants to keep there ip secret there are other ways.

kamahl
Registered User
Posts: 328
Joined: Sat Jan 04, 2003 4:38 pm
Location: Ogden, Utah

Post by kamahl » Sun May 09, 2004 10:25 pm

Which is probably the topic creator's point. It's not nothing too major, so it can wait...but that means phpBB isn't too major on security? The way I look at it....you already get much more than what you pay for.



My point exactly. :)
[ The 10 Count Forums Powered by phpBB3.0 | 400 Wrestling Avatars ]

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Sun May 09, 2004 10:36 pm

CLee wrote: So that issue has been addressed, but it has not released yet?
Perhaps they are working on other bug fixes and so on before releasing an update?

Locked

Return to “2.0.x Discussion”