Discuss: What does phpBB2's retirement mean for you.

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Phil » Tue Jan 13, 2009 11:55 pm

In all honesty, I would be very surprised if a security vulnerability is not found in phpBB 2.0.23 in the not-so-distant future. Although there are no known vulnerabilities, hackers know that there are still many, many phpBB2 boards, and as of 1 February it will be open season. Plenty of incentive.
Moving on, with the wind. | My Corner of the Web

User avatar
Daniel Exe
Registered User
Posts: 573
Joined: Wed Sep 14, 2005 7:59 pm
Location: Canada
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Daniel Exe » Wed Jan 14, 2009 12:05 am

iWisdom wrote:In all honesty, I would be very surprised if a security vulnerability is not found in phpBB 2.0.23 in the not-so-distant future. Although there are no known vulnerabilities, hackers know that there are still many, many phpBB2 boards, and as of 1 February it will be open season. Plenty of incentive.
How about the possibility of a CSRF attack because of the use of $_GET for handling session id's when locking a topic, as a moderator or admin. From what I've been told, if you were to check the referrer of a picture located in the locked thread, it would contain the user's session id, which could then be used for an attack. I actually haven't looked into the legitimacy of this claim, as I haven't used phpBB2 code in quite some time, but if the id is truly handled using $_GET in that instance, then it would only make sense.
My phpBB3 styles: 610nm, Cerulean, CoDFaction, DarkFantasy, GuildWarsAlliance, twilightBB
http://www.gamexe.net

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29189
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Marshalrusty » Wed Jan 14, 2009 2:39 am

Daniel Exe wrote:How about the possibility of a CSRF attack because of the use of $_GET for handling session id's when locking a topic, as a moderator or admin. From what I've been told, if you were to check the referrer of a picture located in the locked thread, it would contain the user's session id, which could then be used for an attack. I actually haven't looked into the legitimacy of this claim, as I haven't used phpBB2 code in quite some time, but if the id is truly handled using $_GET in that instance, then it would only make sense.
Yes, it's possible to get an administrator's SID from the referrer. The same can be done with phpBB3 or any other software that allows remote image posting. You don't even need an image. Just post a link and have the admin click it from the board.

What is the actual vulnerability in this case? An SID is not enough to hijack a session.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

deny
Registered User
Posts: 565
Joined: Wed May 14, 2003 9:14 am
Location: Find-Ip-Address.org
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by deny » Thu Jan 15, 2009 12:19 am

For all phpBB 2.x users i would suggest to install CrackerTracker mod from cback.de
It will stop 99% of all hacking attempt on your board.
Geolocation of any IP address including detection of hostname,
browser, country and country code with ip address range web tool.

IP Address Locator | Email Tracking | IP Address | Check Email

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Phil » Thu Jan 15, 2009 12:40 am

Such a MOD usually does nothing but introduce further vulnerabilities into your board. They're completely unnecessary.
Moving on, with the wind. | My Corner of the Web

User avatar
Dog Cow
Registered User
Posts: 2476
Joined: Fri Jan 28, 2005 12:14 am

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Dog Cow » Thu Jan 15, 2009 6:47 pm

iWisdom wrote:Such a MOD usually does nothing but introduce further vulnerabilities into your board. They're completely unnecessary.
Unnecessary if you've got no vulnerable MODs, that is. Some people go around installing all these unapproved MODs and, guess what? They're unapproved because they've got security errors in them. So, for some people a "Security MOD" could provide some help. For others, nope, you are completely correct; they are useless.

So the problem is: how to identify such a MOD? For me, I can look through the code. For others, they have no such experience (and probably not the authors either, or they wouldn't have been written insecurely). So you have a choice: pick only from the safe, phpBB approved MODs, or you can take some risks by going to phpBBHacks site to get some unaproved MODs and potentially getting your site hacked. There are some perfectly-OK MODs (in terms of security problems) which are unapproved. But not everyone is able to tell.

Which brings us back the beginning: if you pick only safe, approved phpBB MODs, then in theory (and perhaps, in practice as well, because I haven't found any bad ones yet), you don't need a "Security MOD."
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookLincoln's Tomb at Oak Ridge Cemetery, Springfield

User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Spokane, WA
Name: David Lewis
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Highway of Life » Thu Jan 15, 2009 8:25 pm

@Dog Cow, you are correct. Although maybe it's because I’m on the MOD Team, but I have seen some MODs that have security issues, both phpBB2 and phpBB3. True they are not _everywhere_, but it only takes one MOD with a known security vulnerability to get hacked.
And that brings us back to this point: The only true “safe” option for users is to upgrade to phpBB 3
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.

User avatar
Techie-Micheal
Security Consultant
Posts: 19510
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Techie-Micheal » Thu Jan 15, 2009 10:48 pm

Dog Cow wrote:
iWisdom wrote:Such a MOD usually does nothing but introduce further vulnerabilities into your board. They're completely unnecessary.
Unnecessary if you've got no vulnerable MODs, that is. Some people go around installing all these unapproved MODs and, guess what? They're unapproved because they've got security errors in them. So, for some people a "Security MOD" could provide some help. For others, nope, you are completely correct; they are useless.
I agree with you to an extent (that is after all, the point of these security mods), but I and others have found security holes in some of these security mods. Many of them very, very serious. That's why iWisdom said it is better to not use these security mods.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29189
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Marshalrusty » Fri Jan 16, 2009 9:19 am

Micheal and I identified a major vulnerability in one of these "security MODs" (I won't say which one) that was more serious than anything it could have hoped to protect against. I then reported a critical issue to the author of another one of these MODs which wasn't fixed for 3 months. Judging by Micheal's plural use of "holes", I can only imagine that he's done the same. When you look at the list of "security enhancements" that they claim to add, you really get a feel for the type of fallacy involved. The majority of fixes have nothing whatsoever to do with security.

The MOD even adds a nice counter to the bottom of the board which serves absolutely no purpose than to inform a potential attacker that the MOD is indeed installed so that they can take advantage of any vulnerabilities that may exist in it. Some of these MODs add checks to places where vulnerabilities used to exist a dozen versions ago. The code added does nothing more than increase the counter and kill the page. How does identifying vulnerabilities that no longer exist help raise security?

It is my opinion that such MODs should never be used unless they are in the MODs database here. Always be very cautious of anything that claims to blindly raise security.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Dogs and things » Fri Jan 16, 2009 9:47 am

When it comes to security, as far as I can tell from my server's error logs, Mod_security is stopping a considerable amount of hacking attempts dead on their tracks. I feel pretty secure and comfortable with it.
For phpBB2 support visit phpBB2refugees.

User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Spokane, WA
Name: David Lewis
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Highway of Life » Fri Jan 16, 2009 10:48 am

Don’t let mod_security give you a false sense of security.
Stefan Esser wrote:mod_security might be good to stop known worms.

A skilled attacker will however be able to get his payload through mod_security without triggering the rules.
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Dogs and things » Fri Jan 16, 2009 11:10 am

Yes, of course I understand one is never totally safe.

But I find enough stopped attempts in my error logs to feel pretty safe and comfortable.

And anyway, this, in combination with my backups is all I think I can do and so far has been more than enough.

**Knockin' on wood with my fingers crossed**

**EDIT** By the way, I found the article you reference to.
For phpBB2 support visit phpBB2refugees.

User avatar
Dog Cow
Registered User
Posts: 2476
Joined: Fri Jan 28, 2005 12:14 am

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Dog Cow » Fri Jan 16, 2009 6:10 pm

Marshalrusty wrote:Micheal and I identified a major vulnerability in one of these "security MODs" (I won't say which one) that was more serious than anything it could have hoped to protect against.
Oh yes, I have looked into austin's security mod and other mods he has written. There's security holes (yes, plural-- and in just one mod) I know of in at least one of his mods that hasn't been reported yet, (will I report it? Nope.) and even if that mod and security mod are installed, you can still beat his "security" and exploit it.

My web host has Apache mod_security installed. Here is my reaction to it: :?
So I check my logs a few times a week, searching for the 406 errors. All of these "probes" are for open source software (such as joomla, wordpress, phpbb, ikonboard, and other software I don't use), or phpBB mods that I've never even once installed (and certainly won't consider installing now!) on the server. For sure, these probes/attacks won't do a single thing. Then I get the RFI attacks/probes which are targeted correctly, but still won't do anything because I validate my inputs.

If one were to assume that these probes/attacks which people are trying out do indeed work, and that such vulnerable software is indeed installed on the server, then Apache mod_security may help block most/some/all of these attacks. In theory at least, that is what a scan of my server logs seems to suggest.

But I see your points about Apache mod_security, because what it does to earn the :? reaction from me are its false positives. Even something as simple as typing a message with some "random" keywords which set it off. That annoys me, and I've sent more than a few emails to my web host asking them to disable it.

So once again we return to the notion that if you install proper, validated MODs, and you validate your input when writing your own, you don't need these security mods. If you want to mess around with MODs from phpBBHacks and other un-approved MODs, then who knows? :?

Some people (both novice programmers and end-users) just assume that "all software will have security holes, and that's just that," because they've never known anything different, when in fact, that doesn't have to be the case.
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookLincoln's Tomb at Oak Ridge Cemetery, Springfield

User avatar
3Di
Registered User
Posts: 11872
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano - Frankfurt
Name: Marco
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by 3Di » Fri Jan 16, 2009 11:40 pm

Dogs and things wrote:When it comes to security, as far as I can tell from my server's error logs, Mod_security is stopping a considerable amount of hacking attempts dead on their tracks. I feel pretty secure and comfortable with it.
Simply those MODs (assuming we can name them that way) are doing nothing, absolutely nothing. :ugeek:

My statement here belongs to an accurate code review me and others we did some year ago. ;)

http://www.phpbb.com/community/viewtopi ... 7&t=527674
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades

User avatar
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 23722
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Discuss: What does phpBB2's retirement mean for you.

Post by Paul » Sat Jan 17, 2009 9:16 am

3Di wrote:
Dogs and things wrote:When it comes to security, as far as I can tell from my server's error logs, Mod_security is stopping a considerable amount of hacking attempts dead on their tracks. I feel pretty secure and comfortable with it.
Simply those MODs (assuming we can name them that way) are doing nothing, absolutely nothing. :ugeek:

My statement here belongs to an accurate code review me and others we did some year ago. ;)

http://www.phpbb.com/community/viewtopi ... 7&t=527674
mod_security isn't a phpBB MOD, but a apache MODule ;). You need to install it at server level, and it can detect at certian ranges attacks, as long you use the correct rules.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 26 guests