phpBB 2.0.15

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Magnotta
Former Team Member
Posts: 1093
Joined: Fri Oct 17, 2003 4:16 am
Location: Ontario

Post by Magnotta »

psoTFX wrote: How does reauthentication work to improve security? One phrase "auto-login". By it's very nature it's inherently insecure (however the key is generated ...). If you log on to a "public" machine and without realising it hit autologin a subsequent user of that machine may be able to gain access as you. If you're an admin, oopsie. By requiring re-authentication we "help" to reduce this risk somewhat. Now that person will also need your plain text password ...

It's not the be all and end all of securing auto-login. Indeed it remains a very basic (and common to all such systems on all boards) weak point. But it does add an additional layer of security.


Wouldn't a better solution then be making a seperate admin panel password that needs to be entered in order to gain entry? Sort of like using an .htaccess file, but with the name and password entered during the admin login page so people on all servers could use it. At the install then for instance, the board admin would input their own login password, and a seperate password required to enter the admin panel, which could be kept in config.php. Then, whenever the admin makes a user an admin, they have to be told the password by the admin before they can ener the admin panel. I think that would make things a bit more secure just incase the hacker gained access by knowing the admin's password, in which case the hacker would have to just re-type to gain access, or if a hacker managed to somehow run a script making themself an admin, well, they still couldn't get access until they learned the admin panel password.

User avatar
ATNO/TW
Registered User
Posts: 121
Joined: Sun May 09, 2004 10:42 pm
Location: Pittsburgh, PA

Post by ATNO/TW »

I completely appreciate the updates and although my board is modified primarily with my own customized scripts, files and templates, I have very little difficulty following these changes. This upgrade took, less than a half hour to download, review all files, modify one of them, backup existing files and database, and only about 3 minutes to upload and upgrade.

In my opinion, the phpBB group does not only a great job of staying on top of the issues and providing the updates when necessary but also of making them easy to do.

Kudos phpBB group!

wGEric
Former Team Member
Posts: 8805
Joined: Sun Oct 13, 2002 3:01 am
Location: Friday
Name: Eric Faerber
Contact:

Post by wGEric »

Magnotta wrote: Wouldn't a better solution then be making a seperate admin panel password that needs to be entered in order to gain entry? Sort of like using an .htaccess file, but with the name and password entered during the admin login page so people on all servers could use it. At the install then for instance, the board admin would input their own login password, and a seperate password required to enter the admin panel, which could be kept in config.php. Then, whenever the admin makes a user an admin, they have to be told the password by the admin before they can ener the admin panel. I think that would make things a bit more secure just incase the hacker gained access by knowing the admin's password, in which case the hacker would have to just re-type to gain access, or if a hacker managed to somehow run a script making themself an admin, well, they still couldn't get access until they learned the admin panel password.


It isn't as secure if you have one password that all administrators are using. If a hacker figures out that password, all he would have to do is get into one of the administrators accounts and the hacker could get access to the administration panel.

If you have it so that there are different passwords for each user to get into the administration panel, the hacker would have to know the password for the specific user and not some general one.

A different password for each administrator is more secure then having one password for every administrator.
Eric

Magnotta
Former Team Member
Posts: 1093
Joined: Fri Oct 17, 2003 4:16 am
Location: Ontario

Post by Magnotta »

wGEric wrote:
Magnotta wrote:Wouldn't a better solution then be making a seperate admin panel password that needs to be entered in order to gain entry? Sort of like using an .htaccess file, but with the name and password entered during the admin login page so people on all servers could use it. At the install then for instance, the board admin would input their own login password, and a seperate password required to enter the admin panel, which could be kept in config.php. Then, whenever the admin makes a user an admin, they have to be told the password by the admin before they can ener the admin panel. I think that would make things a bit more secure just incase the hacker gained access by knowing the admin's password, in which case the hacker would have to just re-type to gain access, or if a hacker managed to somehow run a script making themself an admin, well, they still couldn't get access until they learned the admin panel password.


It isn't as secure if you have one password that all administrators are using. If a hacker figures out that password, all he would have to do is get into one of the administrators accounts and the hacker could get access to the administration panel.

If you have it so that there are different passwords for each user to get into the administration panel, the hacker would have to know the password for the specific user and not some general one.

A different password for each administrator is more secure then having one password for every administrator.


very true, and that is much better than what I suggested. But either way, the point is to have a seperate password that the admin needs to enter to et into the admin panel. I just think that be a lot more secure than right now, as if someone gained access to the admin account simply by figuring out the password, well then re-typing that password isn't that difficult.

binside
Registered User
Posts: 101
Joined: Tue Feb 15, 2005 11:35 pm

Post by binside »

Someone here said that all the bulletin software has a lots of critical issues and bugs.
It is not exactly right.
And someone said Invision has also a lots of vendor patches, a lots of bugs...
So see it yourself:
http://secunia.com/product/463/ - For phpBB 2.0.x
http://secunia.com/product/3705/ - For Invision 2.x

See the number of unpached issues, and the number of total problems/bugs for last 2 years.
Don´t get me wrong. I love phpBB. I also know that it is completely free, the dev team has its own private life, they are doing this for us and for the big community...
I also prefer things to be patched as soon as possible instead of waiting... /This is my answer to the author´s opinion/
But let´s say the things as they are.
All the devs and moderators - Excuse me, but you are acting strange everytime someone says something not too good for phpBB. No matter if he is right or wrong.
phpBB has a little bit more security holes than some other products. And I gave you some links about it /I choosed the other product just because it was mentioned here/.
So please, don´t be mad.
And accept the facts as they are.
:wink:
And finally: Keep on good working! And thanks!

User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Post by psoTFX »

For goodness sake ... compare apples with apples please. Firstly, citing a "security list" is not a fantastic method since not all issues will ultimately be released to said lists. Secondly, IPB2 is, compared to phpBB very new. phpBB 2 has been around quite some time now ... is used by significantly greater numbers of sites and is thus subject to more eyes. It's not a matter of "don't get mad, accept the facts" ... the "fact" is you cannot compare like for like.

So, listen up peeps I'll do you all a deal ... you don't compare phpBB's release history to other boards and we won't comment on other boards release histories ... okay? Good.

User avatar
eqbeastlord
Registered User
Posts: 50
Joined: Thu Jan 02, 2003 2:45 pm

Post by eqbeastlord »

psoTFX wrote: Utterly utterly utterly rediculous. As Graham says, damned if we do, damned if we don't. As for "other" boards, go ahead ... I'd suggest actually doing some research first though before claiming the sun is shining brighter elsewhere ;)


No offense, but one of your customers has come to you with a legitimate concern. He posted in a nice fashion, not flaming. And he is met with outright hostility, and then from the devs, brushed off with this.

Why not address his concerns properly. I know this is a free service and all, but you could atleast respect his opinion.

I happen to agree with him.

You could most definately just put out patches that had Security fixes, and one with updates. So both groups of people are satisfied.

Sure this would take a bit more work on your side, but wouldn't it be worth it to make your customers happy?

Then each year, you could put out an update of ALL the fixes in one file that people could update from.

Because honestly, I can tell you how much I love phpBB, with the fact that I do have the money to buy a "professional" board, but I choose to stick with phpBB, for 15+ sites. (which i think, for the most part, is more professional than those other boards)

So you see I love the board, and I appreciate ALL the hard work you do, and all the hardwork that the modders do.

But I too, groan every time there's an update. I appreciate all the fixes, but I hope you can understand that having to spend 1-2 days to update 15+ boards, sucks.

It would be much easier to patch the security problems, and then once or twice a year, patch up everything.

Just a suggestion. I'm still going to use this software, reguardless of what you do, and I'll love it. Even though, I will whimper a bit on patch day ;)

User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Post by psoTFX »

I'm sorry but he did not come to us with a "legitimate concern". He posted complaining about the number of updates phpBB has had (15 in over two years). Frankly IMNSHO a legitimate concern would be the opposite ... a lack of updates, a lack of security related fixes, et al. Frankly I remain, as I say, utterly amazed at people complaining about us releasing frequent updates.

To address your point about "patches" ... erm, that's exactly what we do make available. We release four different solutions; full source, changed source files only, patch compatible patch and an EasyMod/Mod template patch. Additionally in recent times we've noted, where a security issue has appeared, the relevant changes necessary to fix just that issue.

The "roll up" idea ... well, ya know as we say "damned if we, damned if we don't". If we don't release updated source we'll receive complaints about our "lack of action". If we do release updated source/patches we're "releasing too many versions", sigh and hum ho.

Just to reiterate something else ... the only "customers" we have are those that purchase advertising on this site. Those who download and use phpBB comprise our community.

tsuehpsyde
Registered User
Posts: 33
Joined: Thu Apr 21, 2005 7:33 pm
Contact:

Post by tsuehpsyde »

Okay guys, seriously....how are you going to get on the dev's asses about fixing problems that come up? Honestly? Would you rather them NOT fix these issue so you don't have to work updating your boards which you don't pay for in the first place?

Seriously....you people are out of hand and downright ungrateful. You should thank them for updating security fixes instead of complaining about how it inconviences you. Would you rather them wait for a certain number of exploits to be found before a patch? Please.

Thanks Devs, I personally can say I appriciate the work you and and cannot wait for phpBB3. Keep the updates coming. ;)

atnbueno
Registered User
Posts: 39
Joined: Sun Aug 03, 2003 5:26 pm
Location: Spain
Contact:

Post by atnbueno »

I'm amazed at the discussion, and I still think I lost something with the translation because the problem seems to be the *amount* of updates?

I only take care of one board and simply apply the critical changes right away and put the others in my "things to do" queue. Maybe with +15 I'd do it differently but, as it has been stated, there's plenty of ways to do it.

Maybe would you like a phpbbupdate.phpbb.com? :D You know, patches available the second Tuesday of every month... :wink:

Keep up the good work, guys.

custmguru®
Registered User
Posts: 233
Joined: Wed Apr 10, 2002 6:06 pm
Location: Somewhere, Over the rainbow
Contact:

Post by custmguru® »

I used to hate the updating till i found the patchwork delie worked with easy mod. i updated 3 sites in half an hour and one of those sites had to be done by hand (no FTP access).

the doing it by hand is a PITA, but i'd rather spend 20 minutes doing it than spend 4-5 hours fixing it after i get hacked becasue i didn't

Clive
Registered User
Posts: 45
Joined: Sat Jan 17, 2004 3:59 pm
Contact:

Post by Clive »

Let me see, we are all using open source software given to us free of charge and we complain, hmmm

I was recently hacked by Djer the deli hacker because I was running 2.0.12 so I did the fast update and only had to change the footer in the .tpl collection back. I am lucky to be with the ISP I am, they are fast to correct errors in my database and do a reset on the site.

When one of the writers on my forum said don’t phpBB have ways to stop this I said, I heard the CIA and the FBI and the Whitehouse and NASA and e bay and credit card company’s have been hacked and they know a lot more about computers and secretary and have much more staff to prevent this then I.

If you pay for software I think it gives a reason to complain… then if it is free and offered for all to improve…If it if free then giving something back is good…

I run a FrontPage server with all the extensions and have little faith in htaccess with the extensions on as it controls it with different files. I wouldn’t mind a chat with anyone on ICQ that understands the .htaccess and .htpassword .txt files for FrontPage…

Keep up the great work in providing a wonderful board…
A bad day fishing beats a good day working...
Clive Webmaster for
The Writers Voice
http://www.writers-voice.com

FuNEnD3R
Registered User
Posts: 267
Joined: Sun Aug 03, 2003 6:57 pm
Contact:

Post by FuNEnD3R »

I dont mind the patches, especially since I use Dreamweaver to open up all of my files, and use the cntrl + F (find option) to easily go straight to the line that I need to edit. I have three different boards so I have to upgrade every one of them, and it takes me no more then an hour to upgrade all three. These releases are bug fixes and to prevent hackers so they try to release it ASAP. This is something that is common with all software and if you want to switch forums that is your choice :)

psoTFX wrote: well, ya know as we say "damned if we, damned if we don't".


Oh man I can totally relate to that its an everyday issue on my board lol.

alcaeus
I've Been Banned!
Posts: 431
Joined: Wed Nov 19, 2003 1:12 pm

Post by alcaeus »

I understand the developers, and I just wanted to say that there's nothing wrong their way of handling situations like this one. If you really want to complain, why don't you look up all "security advisories" on the so-called "security pages" (bugtraq, secunia, and whatever else there is), look up the credits on each of the reported vulns, and complain to those little punks who think it's more important to inform a third-party-site instead of the "vendor". That means two things:
a) lots of people can read about this vulnerabilty, and
b) by making the information public, they steal the devs time, because they have to hurry patches into release.
Many times so-called "security groups" (:roll:, I hate to use that term) writes a bug report on bugtraq (critical), wait for the update which would follow within days, and then report the next vuln, which was already present in the first version. Don't ask me why, but this has happened before.
Also, as some people stated above: the devs are giving you a wonderful (yes, truly wonderful) piece of software for absolutely free, so I don't think you have the right to b***h off because of anything. As long as they actually fix bugs and bring out patches, you have absolutely no reason to complain. Dang, why don't some people just understand this? If you think you need to complain whenever a new release comes out, go to vB, pay your 160 bucks, and then you have the right to do so. But bit***ng at somebody for giving you a free message board and actually fixing holes in it when they are discovered is nothing but WRONG.
I hope some people finally understand that. I for my part will stick with phpBB, and I wouldn't care if they bring out a patch every week. I download the instructions, feed them into EM, and off we go.

Greetz
alcaeus

AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 »

alcaeus wrote: I understand the developers, and I just wanted to say that there's nothing wrong their way of handling situations like this one. If you really want to complain, why don't you look up all "security advisories" on the so-called "security pages" (bugtraq, secunia, and whatever else there is), look up the credits on each of the reported vulns, and complain to those little punks who think it's more important to inform a third-party-site instead of the "vendor". That means two things:
a) lots of people can read about this vulnerabilty, and
b) by making the information public, they steal the devs time, because they have to hurry patches into release.
Many times so-called "security groups" (:roll:, I hate to use that term) writes a bug report on bugtraq (critical), wait for the update which would follow within days, and then report the next vuln, which was already present in the first version. Don't ask me why, but this has happened before.


Many individuals post reports to Bugtraq once the issues are patched, or when the affected software teams are ignoring an issue. I myself have several reports there regarding the security of phpBB, all have been made after the issue has been patched. Most of the issues that were disclosed before patch (IE: The highlight bug) the developers waved off, and stated they weren't critical issues. This is the bug that put phpBB security issues in the limelight.

If you think most security groups follow a full disclosure without vendor notification policy, you have not been paying attention to the reputable security community for any amount of time. Perhaps if you do more then read Zone-H you can understand how many issues get fixed behind the scenes thanks to those who take security seriously.

AnthraX101

Locked

Return to “2.0.x Discussion”