PHPBB3.0.10 - Security Threats

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Ideas Centre
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
cdsmhr034
Registered User
Posts: 1
Joined: Thu Jul 05, 2012 1:36 am

PHPBB3.0.10 - Security Threats

Post by cdsmhr034 » Thu Jul 05, 2012 3:56 am

Support Request Template
What version of phpBB are you using? phpBB 3.0.10
What is your board's URL? its Intranet based
Who do you host your board with? Intranet Application team
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3
Is registration required to reproduce this issue? No
Do you have any MODs installed? No
What version of phpBB3 did you update from? phpBB 3.0.9
What styles do you currently have installed? Default. No changes made
What language(s) is your board currently using? Default. No changes made
Which database type/version are you using? I Don't Know
What is your level of experience? Please select your answer
When did your problem begin? During our Periodic Vulnerability Assessment test in Jun-12
Please describe your problem. We had an Internal Vulnerability Assessment performed by a large third party service provider. They advised us to remove the PHPBB completely as it has several threats. They also advised to install the latest version (3.0.10) and for a rescan. Rescan also notified that there are security threats.

My question is: PHPBB is installed inside the Firewall. It can't be accessed by outside of our domain. In this scenario, what could be the security threats? and what precautions should be taken to address them?
Generated by SRT Generator

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10341
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: PHPBB3.0.10 - Security Threats

Post by Noxwizard » Thu Jul 05, 2012 4:21 am

There are currently no known security vulnerabilities in 3.0.10, nor any in 3.0.9. There have been very few issues at all with phpBB 3 in its lifetime and they were very minor. Just go through the changelog and look for "Security" and [Sec] to see the entries. You should be wary of products that perform security scans like that. They tend to report back a lot of bogus results. If you want to find out information about known issues in one of your products, I would recommend checking security specialist sites that track this kind of information, like Secunia: http://secunia.com/advisories/product/1 ... statistics
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21034
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: PHPBB3.0.10 - Security Threats

Post by RMcGirr83 » Thu Jul 05, 2012 9:52 am

We had an Internal Vulnerability Assessment performed by a large third party service provider.
You need to find a different vendor, preferably one that knows what they are talking about.
They advised us to remove the PHPBB completely as it has several threats.
If speaking of the 3.x branch I am sure the teams would love to hear about it.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Re: PHPBB3.0.10 - Security Threats

Post by T0ny » Thu Jul 05, 2012 2:33 pm

cdsmhr034 wrote:what could be the security threats?
The company undertaking your vulnerability assessment should have provided you with a report detailing any security issues they found.
cdsmhr034 wrote:what precautions should be taken to address them?
Until you find out what these security threats are, it isn't going to be possible for anyone to advise you on how to address them.

CaNNon_
Registered User
Posts: 392
Joined: Wed Apr 29, 2009 2:07 am

Re: PHPBB3.0.10 - Security Threats

Post by CaNNon_ » Fri Jul 06, 2012 2:26 am

Please describe your problem. We had an Internal Vulnerability Assessment performed by a large third party service provider. They advised us to remove the PHPBB completely as it has several threats. They also advised to install the latest version (3.0.10) and for a rescan. Rescan also notified that there are security threats.
You need to better define "security threat" as it relates to your work environment.

As an example some companies would consider anyway to remove proprietary data a security treat. In cases like this anyone with a usb stick would fit, as well as anyway to email data outside the work environment.

As you were told we have no security exploits to users but to us that means no exploitable code from other web users (I'm not including anything you could have added on here). But if you look back at my example phpbb3 could be called a "Vulnerability" in that case because of it's ability to email. Simply disabling/removing the email feature would make it ok in that case.

Maybe if you could give us a better guide line someone could have a solution for you. ;)

Locked

Return to “[3.0.x] Support Forum”