Security of phpBB 3.0???

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
Post Reply
RH
Registered User
Posts: 69
Joined: Sun Dec 28, 2003 3:26 am

Security of phpBB 3.0???

Post by RH »

Hi All,

I had a site using phpBB 2.0 and it seemed like I was always installing critical patches and that my board was constantly getting hacked. Can anyone tell me if phpBB 3.0 is more secure and hacker resistant?

Thanks for all of your great work here.

Thanks,
Robert
Like Gadgets? Come check out our forum!

http://www.aficionadozone.com
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Security of phpBB 3.0???

Post by Phil »

There are no known exploits in phpBB3. It may also be worth pointing out a phpBB2 release has not been made this year, so it's not that vulnerable either :D

There likely will be exploits found in phpBB3 in the future, but it is coded with security in mind, more-so than phpBB2.
Moving on, with the wind. | My Corner of the Web
Zero4749
Registered User
Posts: 19
Joined: Wed Dec 07, 2005 7:03 am

Re: Security of phpBB 3.0???

Post by Zero4749 »

I hope that its more secure since most people are always getting their phpbb board hacked.
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Security of phpBB 3.0???

Post by Phil »

Zero4749 wrote:I hope that its more secure since most people are always getting their phpbb board hacked.
That's far from true. If kept up to date, your board is very unlikely to get hacked. Most exploits are a result of boards being out-of-date or poorly coded MODs.
Moving on, with the wind. | My Corner of the Web
User avatar
smithy_dll
Former Team Member
Posts: 7632
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Re: Security of phpBB 3.0???

Post by smithy_dll »

My board is fairly popular, and has never been hacked because I keep up to date with updates. I have been using it since phpBB2.0 RC2 and recently updated to phpBB3.0 RC2, and updated to phpBB3.0 RC3 the day it was released as I do with all updates.

So getting hacked is merely a reflection on the admin in charge rather than the board software itself. Much like how people whose computers are members in a botnet don't keep their computer up to date using Windows Update and end up suffering the concequences.

It's just one of those thing you have to do when you make something internet connected.
Systems Engineering
WheelGuy
Registered User
Posts: 201
Joined: Tue Jan 30, 2007 4:07 pm
Contact:

Re: Security of phpBB 3.0???

Post by WheelGuy »

I sometimes wonder what peoples "view" on being hacked is. I've seen post in the past where many say their forum was hacked, but in reality it was just "spam" bots registering and/or posting porn links etc. I have only seen very few, maybe 3-4 post that I myself would consider the forum being hacked. In my opinion, ANY software on or offline is vunarible to being hacked at one point or another. As it has been stated many times, keeping up-to-date software helps to prevent this. One other thing worth noting is, the hack may come from the server that host the forum being hacked, not from the forum software.
User avatar
cybermonsters
Registered User
Posts: 47
Joined: Sun Jan 19, 2003 5:34 am
Location: Seattle, WA

Re: Security of phpBB 3.0???

Post by cybermonsters »

With 2.0.13 I got "hacked" - meaning boards got taken over. Also had spammers use my servers for sending bulk emails. Still not clear if they used my servers as zombies through phpbb or not. Since around 2.0.20 I haven't had any problems. Have been running solid for 18 months without any problems.

I have confidence 3.0 will be more solid. PHPBB has a much stronger rep now for security.
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29302
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Security of phpBB 3.0???

Post by Marshalrusty »

Yet another one of these topics :)

Security is a goal, so the question "is phpBB3 secure?" is impossible to answer. At the moment, there are no known vulnerabilities in phpBB 2.0.22. That makes it secure. When there were no known vulnerabilities in phpBB 2.0.15, it was secure. When phpBB 2.0.6 was the latest version, it was secure.

You need to make sure that you are always running the latest version of any software that you use. If you keep up to date, then it really doesn't matter if vulnerabilities will be found in RC3 6 months from now (which hopefully won't happen ;)).
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
DarkDragon951
Registered User
Posts: 1
Joined: Mon Jul 16, 2007 6:54 pm
Location: Lynn, MA
Contact:

Re: Security of phpBB 3.0???

Post by DarkDragon951 »

Dear phpBB community,

Hmmmm... well I do have another question just to throw out there. Recently the adminstrator of my forum has upgraded from 2.0.0.19 to 2.0.0.22. Before this little update we recieved quite a lot of bots signing up and spamming. While I am perfectly content with this so far I wanted to know how the new version is more secure. Basically, my question is what does the newest version of phpBB do to protect against botting?

Thank you,
Amber (DarkDragon951)

PS: If this has already been answered, I apologize.
Image
Geneticeye-arts Forum Moderator
Im happy!!!! :3
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Security of phpBB 3.0???

Post by Phil »

Yes, it does more to protect. While we're starting to see bots getting in, it's not anywhere near as bad and the difficulty of the CAPTCHA can be increased, essentially almost completely stopping bots.
Moving on, with the wind. | My Corner of the Web
User avatar
smithy_dll
Former Team Member
Posts: 7632
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Re: Security of phpBB 3.0???

Post by smithy_dll »

Registration forum is open to anyone who can successfully submit a registration. This is true no matter what you do.

Many people incorrectly diagnose people registering by hand as you put it, "botting".

What does the new version do?
A better captcha written from the ground up based on breaking theory that is used to break captchas. That is, it has been designed specifically with intent not only to be difficult to break, but by understanding how captchas are broken, and implementing methods to break those methods.

The problem is the trust model is set to allow everyone to get the form, and then submit it. However if you change the trust model, your forum will not work.

Unfortunately a slim few have exploited the early trust models of the internet, and we have the mess we have today for it. Dealing with it involves labelling potentially innocent people guilty and denying them access for various reasons including disability, or the fact they are unfortunate enough to share an ISP with someone who is naughty. It is like branding countries for the act of a sole person in that country, it is not really fair, but that person causes so much damage that there is little you can do to stop it.

Different tweaks will work for different communities, but when you release phpBB, you are releasing something that has to appeal to everyone.

So you can stop bots by clever captcha design. But how do you stop human bot farms when you want a human to be able to submit the form? That is segmenting human with malicious (probably too strong a word for here) intent from one with honest intent. This is difficult because they are both human and faceless.

Of course the code is more secure and locked down by design than ever.

Other features include maximum registration form tries for an IP, again easily circumvented with a large rotation of proxy IPs. So it becomes a war, and the person with the most resources wins. Fortunately alot of these people have little resources and are easy to block, especially those who target small sites, blogs, and forums.

phpBB3 it becomes even more difficult to fingerprint registrations due to the removal of profile fields from the registration form, such as website, interests, and occupation that bots lick up.

So now I hope you see the enormity of the problem. If we could go back to 1999, would you?
Systems Engineering
Post Reply

Return to “phpBB Discussion”