phpBB questions

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
Post Reply
BlasterX
Registered User
Posts: 12
Joined: Mon Mar 08, 2021 5:55 am

phpBB questions

Post by BlasterX »

I have a few questions in regards to phpBB

I been using MyBB for years but unfortunately it just seems like development is stalled severely for MyBB it has been delay after delay and they provide no updates to people asking about 1.9 and I feel MyBB will eventually fade away.

phpBB has things right off the bat that appeal to me such as a responsive theme out of the box and an alerts/notifications system out of the box.

But some things I want to know.

1. How long does it take on average for phpBB to release an update for security vulnerabilities?.

2. If phpBB has updates which require changes to themes how hard is it to patch existing themes because it would suck to modify the default theme and have to start from scratch each update. Does it have a system in place like MyBB where you can check the templates for any needed changes with a click of a button?.

3. Overall how secure is phpBB out of the box and is there a list of optional things that can be done to secure phpBB even more?.
User avatar
Kailey
Community Team Leader
Community Team Leader
Posts: 3732
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Snay
Contact:

Re: phpBB questions

Post by Kailey »

Item #1 and #3 sort of go together. If you look in the Announcement forum, you'll see that a release generally happens every few months. Also, phpBB has no known vulnerabilities.

Regarding item #2, Marc (Development Team Leader) will publish style changes here.
Kailey Snay - Community Team Leader
Knowledge Base | Documentation | Community rules

If you have any questions about the rules/customs of this website, feel free to send me a PM.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: phpBB questions

Post by david63 »

Just to add that in the past on the very few occasions where a security issue has been found a version with a fix has been released within a couple of days.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: phpBB questions

Post by thecoalman »

BlasterX wrote: Mon Mar 08, 2021 6:07 am 1. How long does it take on average for phpBB to release an update for security vulnerabilities?.
phpBB has always had an excellent security track record. There has only been one serious issue I'm aware of. If you look through the releases there is a 3.0.7PL that replaced the 3.0.7 release. This goes back more than ten years, in that release RSS feeds were added and under a specific set of permission settings someone that did not have access to a forum could read it through the RSS feed. The flaw was found and patched in about 24 hours.

If there is any issues related to a release you can find temp patches available in a sticky at the top of the support forum, Certainly any security issue were be addressed there as soon as possible even before an official patch.
2. If phpBB has updates which require changes to themes how hard is it to patch existing themes because it would suck to modify the default theme and have to start from scratch each update. Does it have a system in place like MyBB where you can check the templates for any needed changes with a click of a button?.
You would have to apply changes to custom theme. The easiest way I have found to manage this is using Winmerge to compare and merge files. If you comment changes it's even easier.
3. Overall how secure is phpBB out of the box and is there a list of optional things that can be done to secure phpBB even more?.
As already mentioned phpBB itself has a really good track record.There isn't a whole lot you can do to secure phpBB itself that hasn't already been done. Security of any site/server needs to be layered. For example you could add a .htaccess password to the adm folder. Not only are you adding another layer of authentication but since that is separate than phpBB it could also prevent any vulnerabilities that may crop in the future with phpBB's authentication for the admin panel. Same thing can been done with any web application. A .htaccess password itself is no guarantee because it can be brute forced, however there is server applications that can monitor that activity and firewall an IP after X amount of failed logins.... layers. ;)
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
BlasterX
Registered User
Posts: 12
Joined: Mon Mar 08, 2021 5:55 am

Re: phpBB questions

Post by BlasterX »

thecoalman wrote: Mon Mar 08, 2021 2:21 pm

As already mentioned phpBB itself has a really good track record.There isn't a whole lot you can do to secure phpBB itself that hasn't already been done. Security of any site/server needs to be layered. For example you could add a .htaccess password to the adm folder. Not only are you adding another layer of authentication but since that is separate than phpBB it could also prevent any vulnerabilities that may crop in the future with phpBB's authentication for the admin panel. Same thing can been done with any web application. A .htaccess password itself is no guarantee because it can be brute forced, however there is server applications that can monitor that activity and firewall an IP after X amount of failed logins.... layers. ;)
In regards to the .htaccess password that is something I do with MyBB as well, but I also change the admin directory. Is this possible on phpBB to change the admin directory?.

Also MyBB has an admincp pin does phpBB have such an option?


Another question, I notice plugins available for 3.3.2 will these plugins for the most part work on 3.3.3?
User avatar
GanstaZ
Registered User
Posts: 1187
Joined: Wed Oct 11, 2017 10:29 pm
Location: GZOverse

Re: phpBB questions

Post by GanstaZ »

Many questions can be answered by setting up a local development server or using a host to install phpBB and to see what it does.
About extensions.. Even 3.2.x branch extensions may work on 3.3.x.. All depends on how extension is coded.. Specially, if it has conditional check for phpBB & php version.
Usus est magister optimus! phpBB pre-Triton & latest php environment.
When answer lies in the question, question becomes redundant!
User avatar
Crizzo
Translations & International Support Teams Manager
Translations & International Support Teams Manager
Posts: 1653
Joined: Thu Apr 23, 2009 1:20 pm
Location: Stuttgart, Germany
Name: Christian
Contact:

Re: phpBB questions

Post by Crizzo »

BlasterX wrote: Tue Mar 09, 2021 7:37 pm In regards to the .htaccess password that is something I do with MyBB as well, but I also change the admin directory. Is this possible on phpBB to change the admin directory?.
i don't know what you mean that exactly, but i try it. You can protect the ACP with htpasswd / htaccess, but you cannot change the path of the link.
BlasterX wrote: Tue Mar 09, 2021 7:37 pm Also MyBB has an admincp pin does phpBB have such an option?
What is an "admincp pin"?
BlasterX wrote: Tue Mar 09, 2021 7:37 pm Another question, I notice plugins available for 3.3.2 will these plugins for the most part work on 3.3.3?
Yes, with some exceptions.

But it is open for downloads. So just pick your webspace/server/xampp etc. and install it and try it out :)
My extensions for phpBB: CDB
German phpBB Support at www.phpbb.de
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: phpBB questions

Post by warmweer »

Crizzo wrote: Tue Mar 09, 2021 8:28 pm
BlasterX wrote: Tue Mar 09, 2021 7:37 pm Also MyBB has an admincp pin does phpBB have such an option?
What is an "admincp pin"?
I suspect that he asking whether the Admin control Panel can be passworded.
Frankly the answer to that question is obvious.
But, he can check it out for himself: on About phpBB page there's a Test it yourself option.
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
BlasterX
Registered User
Posts: 12
Joined: Mon Mar 08, 2021 5:55 am

Re: phpBB questions

Post by BlasterX »

Crizzo wrote: Tue Mar 09, 2021 8:28 pm
BlasterX wrote: Tue Mar 09, 2021 7:37 pm In regards to the .htaccess password that is something I do with MyBB as well, but I also change the admin directory. Is this possible on phpBB to change the admin directory?.
i don't know what you mean that exactly, but i try it. You can protect the ACP with htpasswd / htaccess, but you cannot change the path of the link.
BlasterX wrote: Tue Mar 09, 2021 7:37 pm Also MyBB has an admincp pin does phpBB have such an option?
What is an "admincp pin"?
BlasterX wrote: Tue Mar 09, 2021 7:37 pm Another question, I notice plugins available for 3.3.2 will these plugins for the most part work on 3.3.3?
Yes, with some exceptions.

But it is open for downloads. So just pick your webspace/server/xampp etc. and install it and try it out :)

For example MyBB default admin directory is /admin but you can change it to anything such as /acpxTe for additional layer of security so now instead of anyone knowing right away what the admin directory is they have to find what the new one is.

And the admincp pin is when you go to the admin panel to log in, on top of your username and password you also have to give a security pin which you setup during installation it can be anything like a birthday, year, etc that way if for some reason the admin main account gets breached whoever did it still has to get that pin to access the admin panel.
User avatar
Crizzo
Translations & International Support Teams Manager
Translations & International Support Teams Manager
Posts: 1653
Joined: Thu Apr 23, 2009 1:20 pm
Location: Stuttgart, Germany
Name: Christian
Contact:

Re: phpBB questions

Post by Crizzo »

BlasterX wrote: Tue Mar 09, 2021 8:39 pm For example MyBB default admin directory is /admin but you can change it to anything such as /acpxTe for additional layer of security so now instead of anyone knowing right away what the admin directory is they have to find what the new one is.
No, this is not possible. But just surfing to "example.org/admin/index.php" won't work, too. So imho no need for that and you can access the ACP via many different ways, the link will easily be decovered. Security through obscurity is not the way. ;)
BlasterX wrote: Tue Mar 09, 2021 8:39 pm And the admincp pin is when you go to the admin panel to log in, on top of your username and password you also have to give a security pin which you setup during installation it can be anything like a birthday, year, etc that way if for some reason the admin main account gets breached whoever did it still has to get that pin to access the admin panel.
No, you will get asked for your Admin-account password again, when you want to go to the ACP.

If this is not enough, you are free to protect it via other methods, too, e.g. Apache/NGINX directory password protection.
My extensions for phpBB: CDB
German phpBB Support at www.phpbb.de
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: phpBB questions

Post by warmweer »

BlasterX wrote: Tue Mar 09, 2021 8:39 pm For example MyBB default admin directory is /admin but you can change it to anything such as /acpxTe for additional layer of security so now instead of anyone knowing right away what the admin directory is they have to find what the new one is.
Nope, and it isn't necessary as you'ld need host permissions (or ftp) to access that directory.
BlasterX wrote: Tue Mar 09, 2021 8:39 pm And the admincp pin is when you go to the admin panel to log in, on top of your username and password you also have to give a security pin which you setup during installation it can be anything like a birthday, year, etc that way if for some reason the admin main account gets breached whoever did it still has to get that pin to access the admin panel.
To enter the ACP the admin has to login a second time (using the same credentials). This actually prevents someone from using that account to access the ACP, if the true admin leaves the PC unattended, because the rogue person doesn't know the admin password.
Security is necessary but there's no point in overdoing it.
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
eeji
Registered User
Posts: 1461
Joined: Fri Dec 12, 2008 9:08 pm
Location: Manchester, UK
Contact:

Re: phpBB questions

Post by eeji »

In regards to the ACP, it is also protected by the permission system. If a user doesn't have access permission then they can't get in.
My phpBB styles: phpbbstyles.iansvivarium.com
My "board": iansvivarium.com
(yes, it's running phpBB!)
Post Reply

Return to “phpBB Discussion”