phpBB in the news here in New Zealand

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
stu15
Registered User
Posts: 1283
Joined: Sat Mar 15, 2003 1:46 am
Location: New Zealand
Contact:

phpBB in the news here in New Zealand

Post by stu15 » Tue Aug 08, 2006 12:10 am

I am afraid is bad news as well.

From Computerworld NZ
<snip>To prevent attacks like the above happening again, Cottle says iServe is seriously considering banning scripts like PHPNuke and PHPBBS from its network. These two have a long history of vulnerabilities. Cottle says that iServe has to deal with multiple hack attempts every day, and that it's very difficult to keep on top of the large amount of vulnerabilities that crop up. Hackers are very quick to exploit security holes as soon as they appear, Cottle says.</snip>

Read the rest Here


:(

All thanks to people who can’t keep there phpBB forum to date :(

Just thought the phpBB Team members would like to know about this
A Registered User > I maybe wrong...So please correct him :) || My Forum - Stu's phpBB Helpdesk

User avatar
Skeita
Registered User
Posts: 14
Joined: Wed Oct 05, 2005 11:56 am
Location: Bonn
Contact:

Re: phpBB in the news here in New Zealand

Post by Skeita » Tue Aug 08, 2006 12:30 am

<snip>To prevent attacks like the above happening again, Cottle says iServe is seriously considering banning scripts like PHPNuke and PHPBBS from its network. These two have a long history of vulnerabilities. Cottle says that iServe has to deal with multiple hack attempts every day, and that it's very difficult to keep on top of the large amount of vulnerabilities that crop up. Hackers are very quick to exploit security holes as soon as they appear, Cottle says.</snip>

Read the rest Here


Senseless decision in my opinion, because when your phpBB is up-to-date, (nearly) nothing can happen. (Except you've got MODs installed, which affect the security of phpBB)

User avatar
Nephrus
Former Team Member
Posts: 1178
Joined: Sat Oct 19, 2002 4:05 am
Location: Vancouver, Canada
Contact:

Post by Nephrus » Tue Aug 08, 2006 12:31 am

Thanks. I'll make sure this gets addressed.
[ Zelda Planet - nephrus.net - phpBB Userguide - phpBB Knowledge Base - phpBB.com Forum Rules ]
ABSOLUTELY NO support via PM/IM/email or I'll get a cow to sit on you

stu15
Registered User
Posts: 1283
Joined: Sat Mar 15, 2003 1:46 am
Location: New Zealand
Contact:

Post by stu15 » Tue Aug 08, 2006 12:34 am

Nephrus wrote: Thanks. I'll make sure this gets addressed.


You’re welcome :)

PS: I know of another web host that has banned phpBB do you want me to PM you the url & the name of the web host?
A Registered User > I maybe wrong...So please correct him :) || My Forum - Stu's phpBB Helpdesk

User avatar
Nephrus
Former Team Member
Posts: 1178
Joined: Sat Oct 19, 2002 4:05 am
Location: Vancouver, Canada
Contact:

Post by Nephrus » Tue Aug 08, 2006 12:38 am

stu15 wrote:
Nephrus wrote:Thanks. I'll make sure this gets addressed.


You’re welcome :)

PS: I know of another web host that has banned phpBB do you want me to PM you the url & the name of the web host?

If you could, that would be much appreciated.

Thanks :)
[ Zelda Planet - nephrus.net - phpBB Userguide - phpBB Knowledge Base - phpBB.com Forum Rules ]
ABSOLUTELY NO support via PM/IM/email or I'll get a cow to sit on you

stu15
Registered User
Posts: 1283
Joined: Sat Mar 15, 2003 1:46 am
Location: New Zealand
Contact:

Post by stu15 » Tue Aug 08, 2006 12:38 am

Nephrus wrote:
stu15 wrote:
Nephrus wrote:Thanks. I'll make sure this gets addressed.


You’re welcome :)

PS: I know of another web host that has banned phpBB do you want me to PM you the url & the name of the web host?

If you could, that would be much appreciated.

Thanks :)


OK, Will PM you in a few mins....
A Registered User > I maybe wrong...So please correct him :) || My Forum - Stu's phpBB Helpdesk

stu15
Registered User
Posts: 1283
Joined: Sat Mar 15, 2003 1:46 am
Location: New Zealand
Contact:

Post by stu15 » Tue Aug 08, 2006 12:44 am

Nephrus you got PM mail :)
A Registered User > I maybe wrong...So please correct him :) || My Forum - Stu's phpBB Helpdesk

crazyasses.tk
Registered User
Posts: 456
Joined: Sat Aug 20, 2005 10:18 pm

Post by crazyasses.tk » Tue Aug 08, 2006 9:52 am

Well it serves them right if they dont update :lol:
(\__/)
(='.'=)This is Bunny. Copy and paste bunny
(")_(")into your signature to help him gain world domination.
MOST PWNAGE THREAD EVER

stu15
Registered User
Posts: 1283
Joined: Sat Mar 15, 2003 1:46 am
Location: New Zealand
Contact:

Post by stu15 » Tue Aug 08, 2006 11:39 am

crazyasses.tk wrote: Well it serves them right if they dont update :lol:


yeath, its funny that a MP website got hacked.

But it sad when web host bans phpbb for example just because a few users can’t be bothered/ don’t know how to update which it turns gives phpbb a bad name & so web host bans it :(. Just take a look at when phpbb had that mass hacking back in nov 2004 people still cant get over that.

In total so far I have reported 3 web hosts to phpbb about them banning them from there servers.
A Registered User > I maybe wrong...So please correct him :) || My Forum - Stu's phpBB Helpdesk

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic » Tue Aug 08, 2006 12:44 pm

stu15 wrote:
crazyasses.tk wrote:Well it serves them right if they dont update :lol:


yeath, its funny that a MP website got hacked.

But it sad when web host bans phpbb for example just because a few users can’t be bothered/ don’t know how to update which it turns gives phpbb a bad name & so web host bans it :(. Just take a look at when phpbb had that mass hacking back in nov 2004 people still cant get over that.

In total so far I have reported 3 web hosts to phpbb about them banning them from there servers.


The really sad thing is that these hosts banning phpBB (and other scripts) lack the effort to properly secure the servers. For example, doing a proper jail for each user on the server, using things like mod_security, removing tools like wget, perl, etc *out* of their normal directories, etc. Hell, if you have mod_security set up and a decent set of rules, you can have older versions of the software on the server and not get hacked. (I actually had a try of this on my website, I set up a copy of 2.0.11, removed the admin account and all forums & disabled the registration page (to prevent spam), and let it sit there. mod_security blocked over 4000 attempts at both versions of the highlight exploit, and the servers files were identical in MD5sum to the ones I took before I set up the phpBB copy when I finally took down the old version)

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

Timtam1234
Registered User
Posts: 815
Joined: Sun Mar 26, 2006 5:43 am
Location: Australia

Post by Timtam1234 » Wed Aug 09, 2006 8:47 am

I dont really see how they could do this. I know if I am running a hackable forum on my server they will suspend my hosting for a while, until I get updated. I hate it how some people spoil it for all!

brainsys
Registered User
Posts: 49
Joined: Mon Sep 20, 2004 8:03 pm

Post by brainsys » Wed Aug 09, 2006 3:53 pm

Well I'm going to make myself unpopular by agreeing with iServe.

phpBB is unsafe unless it is kept up to date. Its a spammers' gift unless you put in mods to stop it. The refusal by the phpBB team to put in simple preventative measures to minimise both these issues makes it a threat to the server. Which is why I only allow myself to run phpBB on our servers. The average JoeAdmin doesn't have the time/incentive/skills to keep it safe.

Its really sad to have to say this. I believe in Community Forums as an essential component in defending free speach and phpBB as a gift to the community for which I am mighty grateful. But I feel the developers are not fully shouldering their responsibilities to make phpBB unattractive to hackers/spammers. If others follow iServe or Google stops indexing forums as a consequence - then that is a blow to us all.

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic » Wed Aug 09, 2006 10:58 pm

brainsys wrote: phpBB is unsafe unless it is kept up to date.


*Any* software is unsafe unless it is kept up to date. Any forum, OS, application, etc.

brainsys wrote: Its a spammers' gift unless you put in mods to stop it.


This is not, however, going to affect the security of the server. Infact most forums are the same in terms of "spammers' gift".
brainsys wrote: The refusal by the phpBB team to put in simple preventative measures to minimise both these issues makes it a threat to the server.


Such as? Really, this one irks me. What can we add into phpBB that isn't an attempt at a snake-oil concept that can minimise issues?

brainsys wrote: Which is why I only allow myself to run phpBB on our servers. The average JoeAdmin doesn't have the time/incentive/skills to keep it safe.


The responsibility of keeping a server safe lies with the owner of the server, not the people using it (unless they are one and the same).

If you don't belive me, then I would suggest to take a look at the rules that GotRoot provide for mod_security. You tell me of anything that can be done to bypass them, and I'll be shocked. Considering that mod_security gets the request before apache and thus before the application being called can touch it, it can filter out everything you wish it to filter, and with a decent set of rules, it can even filter out 0-day attempts.

Combined with a proper jail for each user hosted, even if they somehow bypass the mod_security rules, they can't do anything outside of the users jail, so the best they can do is delete things, etc. Combined with a limited port range for applications to use (iptables for example), and even that would make it difficult to put the server to any good use if you somehow get control of one of the jails. With a properly set up server, an attacker shouldn't make it in, but even if they do, they shouldn't be able to access anything that makes the server or other things on it vulneralbe.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

Newfie
Registered User
Posts: 221
Joined: Mon Feb 20, 2006 12:08 am
Location: A Canadian Province - guess which one?

Post by Newfie » Thu Aug 10, 2006 12:37 am

Even though I believe phpBB is doing a good job with security and stuff, as far as the Internet is concerned, you can almost never be paranoid enough.

If everybody was paranoid, hackers/viruses/trojan horses/etc. would be about 99.9% eliminated.

iServe is practicing paranoia, an essential part of a healthy Internet life, regardless if phpBB deserves to be blamed or not.

Of course, too much paranoia would greatly reduce the usefulness of the Internet, but it is usually smart to be too paranoid rather than be not paranoid enough.

Nonetheless, I realize it sucks for phpBB to have another potshot at its good name.

Personally, I don't encourage paranoia, but it usually results in less hacker and virus damage.

dounme
Registered User
Posts: 13
Joined: Sun Apr 09, 2006 12:52 pm
Contact:

Re: phpBB in the news here in New Zealand

Post by dounme » Fri Aug 11, 2006 9:15 am

Skeita wrote: Senseless decision in my opinion, because when your phpBB is up-to-date, (nearly) nothing can happen. (Except you've got MODs installed, which affect the security of phpBB)


Yes, or the hackers find a security hole which nobody here is aware of. This has happened a million times for all kinds of software in the past. So how can you think you're safe? That's just ignoring the past.

Locked

Return to “2.0.x Discussion”