Will 3.0 have the ability for me to use ?PHP include() ? tag

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by karlsemple »

Highway of Life wrote: :lol: haha, yes, I know that. :P

I’m asking why you believe it is as unsafe as the html feature in phpBB2. ;)


As I stated earlier, the feature in it self is not insecure or unsafe, the users using it are going to be the problem. Any Inclusion of external code is a possible security issue, made more so by the fact I am sure many people will use it to include already insecure code which as smithy_dll sated earlier, is not the point behind the feature. My own worry with this is that users will use it as a short cut to avoid writing mods in the proper format. In the same way html in phpBB2 was had the same problem if people enabled the wrong tags, it could be used to redirect or include something un-wanted
Image
User avatar
Handyman`
Former Team Member
Posts: 1751
Joined: Thu Feb 03, 2005 8:44 pm

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Handyman` »

I agree with all that… but that still brings us back to the fact that anybody creating mods, no matter how they decide to do it, can create gaping security holes.
You can do this with any feature and/or function.
I've had the unfortunate pleasure of seeing it done on more than 1 occasion. :?
http://startrekguide.com My Mod Queue || 1/16/10 Display Posts Anywhere 1.2.0 RC5, Cash MOD 1.0.0 b1, MOD Version Check, AJAX Chat, SEO MOD, AJAX QR, Photo Gallery
MOD Development Manager (version 0.2.0-dev with MODX Generator)
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by david63 »

GroovePlugs wrote: I agree with all that… but that still brings us back to the fact that anybody creating mods, no matter how they decide to do it, can create gaping security holes.
You can do this with any feature and/or function.
I've had the unfortunate pleasure of seeing it done on more than 1 occasion. :?
But any mod with security holes will not be approved by the phpbb mod team so that will not be an issue. If users want to use "unofficial" mods then they will be on their own and have suffer the consequences.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by karlsemple »

david63 wrote:
GroovePlugs wrote: I agree with all that… but that still brings us back to the fact that anybody creating mods, no matter how they decide to do it, can create gaping security holes.
You can do this with any feature and/or function.
I've had the unfortunate pleasure of seeing it done on more than 1 occasion. :?
But any mod with security holes will not be approved by the phpbb mod team so that will not be an issue. If users want to use "unofficial" mods then they will be on their own and have suffer the consequences.


Agreed, not to mention phpBB do not officially support modified phpBB boards although officially released mods are validated and thus a damn site more secure than some script which any user can include.
Image
User avatar
poyntesm
Registered User
Posts: 1671
Joined: Tue Jan 18, 2005 11:19 am
Location: Dublin, Ireland

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by poyntesm »

The current documentation on MODifications for phpBB3 states no MOD is allowed use this feature. See http://www.phpbb.com/mods/documentation ... /index.php
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by karlsemple »

poyntesm wrote: The current documentation on MODifications for phpBB3 states no MOD is allowed use this feature. See http://www.phpbb.com/mods/documentation ... /index.php



....erm, and? I know that and fully agree with it I do not see the relevance to what has been posted. the bottom line is many people will use this as a short cut to add things to their forums rather than install or write proper mods and thus increase the possibility of introducing insecure code to their forum. Which is why I personally think this is as bad as adding Html in phpBB2 and why smithy_dll earlier stated a warning about using it for anything other than which it was meant for.
Image
User avatar
poyntesm
Registered User
Posts: 1671
Joined: Tue Jan 18, 2005 11:19 am
Location: Dublin, Ireland

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by poyntesm »

Just making clear that they will not be allowed into the MODDB, I do not think they was clear in the topic.

I felt my post was on topic and providing a extra piece of information to the jigsaw...sorry if that was not clear
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

karlsemple wrote: As I stated earlier, the feature in it self is not insecure or unsafe, the users using it are going to be the problem. Any Inclusion of external code is a possible security issue, made more so by the fact I am sure many people will use it to include already insecure code which as smithy_dll sated earlier, is not the point behind the feature. My own worry with this is that users will use it as a short cut to avoid writing mods in the proper format. In the same way html in phpBB2 was had the same problem if people enabled the wrong tags, it could be used to redirect or include something un-wanted
You are quite correct.
I do agree with you 100%, and that is a much better explanation that admins should see.
But the difference between the html feature in phpBB2 and the PHPINCLUDE feature in phpBB3 is who can use it.
In one case, you have anybody who can use html, take advantage of it and exploit it, but on the other case, you have a feature that can only be used by someone who can modify the template files (Founder or Site developers) is there to assist site developers -- NOT MOD developers, as it’s been pointed out that neither should MODs use, nor will they be approved if they use that feature.
This is why I don’t think it is as bad as enabling HTML on your board. -- And why I believe they should not be compared.

So this is what I’m saying: Only a site developer would actually be able to use it, he would already have to have some idea of how to use it, since they would have to go through a process to enable it’s usage.
Sure it’s implementation could be used in an unsafe manner, but a lot of things could be done to phpBB3 (and v2) that could be used in an unsafe manner.
For example, the Admin could accidentally give Full Admin privileges to all Registered Users.
Does that mean that we should discourage the Admin to use the Permissions tab? of course not.
Karl, the problem I had was that David said that it’s was only meant for hacking in ads.
In addition, if you have a menu written in plain HTML, ads, a header block, image, meta tags, stylesheets or some such thing, as I think Line was asking for -- including regular HTML using the PHPINCLUDE is not a problem.
But for the team, it would be better to say: It’s usage is strongly discouraged.

I don’t think it should be compared to the HTML feature in phpBB2, because that is one of the features that has given phpBB2 it’s bad security reputation. -- and PHPINCLUDE is not even close to the same.
I think PHPINCLUDE will be used more to include HTML than PHP -- and of course, there is no security issue in that.
I could just as easily use an include() function inside the index.php of the board and include external code that could do something just as dangerous as with what could be included using PHPINCLUDE -- I really honestly don’t see a difference. :? (Except that to use PHPINCLUDE, it would have to be switched on)

Anyways, we are on the same page, perhaps just with different views on how it should be impressed upon the community. :lol:
User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by AdamR »

Highway of Life wrote: So this is what I’m saying: Only a site developer would actually be able to use it, he would already have to have some idea of how to use it, since they would have to go through a process to enable it’s usage.


Yes, and? I don't consider myself a PHP guru, but to be honest I know what I'm doing to a good extent. ;) That being said, I've come back on PHP scripts I've written (no matter how small) months later and thought "What the heck was I thinking?" because right in front of me was a massive security hole. Just imagine what would happen when someone who just started learning PHP yesterday tries to include code. ;)

It really doesn't matter who can use it. If insecure code has been included, there's a good chance some user with a keen eye will spot it and try to exploit it. The same thing goes for HTML. Any administrator who knows what they're doing would never enable <object> or <embed>. But if they do, some user is going to spot it and exploit it. It's exactly the same concept.
But for the team, it would be better to say: It’s usage is strongly discouraged.


What? This is precisely what David was getting at. It's a very useful feature. Just don't touch it if you don't know what you're doing or else there's a high potential security risks will be introduced.

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton
User avatar
smithy_dll
Former Team Member
Posts: 7632
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by smithy_dll »

Highway of Life wrote: Karl, the problem I had was that David said that it’s was only meant for hacking in ads.

psoTFX wrote: A note, it is very much encouraged that template designers do not include PHP. The ability to include raw PHP was introduced primarily to allow end users to include banner code, etc. without modifing multiple files (as with 2.0.x). It was not intended for general use ... hence www.phpbb.com will not make available template sets which include PHP. And by default templates will have PHP disabled (the admin will need to specifically activate PHP for a template).


Emphasis mine.
Highway of Life wrote: But for the team, it would be better to say: It’s usage is strongly discouraged.


And I did that, nothing more to it.
Highway of Life wrote: I don’t think it should be compared to the HTML feature in phpBB2, because that is one of the features that has given phpBB2 it’s bad security reputation. -- and PHPINCLUDE is not even close to the same.
I think PHPINCLUDE will be used more to include HTML than PHP -- and of course, there is no security issue in that.


Both get enabled by the admin. Both cases the admin is capable of creating a security hole. Therefore they are competely comparable because of what the admin has to do for it to happen.
Highway of Life wrote: I could just as easily use an include() function inside the index.php of the board and include external code that could do something just as dangerous as with what could be included using PHPINCLUDE -- I really honestly don’t see a difference. :? (Except that to use PHPINCLUDE, it would have to be switched on)


The key point in perception. People might perceive it to be safer, when they need to be aware that they need to be just as careful as always. (and of course, HTML, it would have had to have been switched on).


Neither makes phpBB insecure, I in no way inferred that. Both come turned off by default (say comparable to how Windows Server 2003 comes in a lockdown mode, or Vista comes with UAC turned on). It is then up to the admin to create the insecurities. Just like in HTML where they could safely enable things like the bold tag, an unknowing admin could enable <object> and <embed> to enable things like flash and media playback.
Systems Engineering
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Bend, OR
Name: David Lewis

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by Highway of Life »

Hi David. :D

I think we resolved the discussion already. ;)
Though just wanted to point out that the HTML feature was removed from phpBB3 because it was a much greater security risk.
AdamR wrote: Just don't touch it if you don't know what you're doing or else there's a high potential security risks will be introduced.
Exactly!! :D
All PHP whether included or used in a forum environment or otherwise has a high potential for security risks. It’s not amplified in a forum package. ;)

In addition, I wanted to point out that a user can still include items such as a banner, header, meta tags, menu’s ads, etc. -- as long as it’s plain HTML -- using the <!-- INLCUDE ./../file.html --> function, which does not require PHP to be turned on for the templates. ;)
User avatar
naderman
Consultant
Consultant
Posts: 3754
Joined: Fri Aug 01, 2003 10:06 pm
Location: Berlin, Germany
Name: Nils Adermann

Re: Will 3.0 have the ability for me to use ?PHP include() ? tag

Post by naderman »

What smithy_dll wrote about PHPINCLUDE was correct. It's intended for webmasters who want to simply hack in some code, e.g. banner ads. But a menu.php which Highway of Life mentioned (and incorrectly understood as something else) is such a valid use too. So you actually both have the same opinion ;-)

Generally that feature is supposed to be used by webmaster for simple addition of code in template files. Emphasis is on webmasters as this should not be a part of a standard template.
I appreciate gifts from my Amazon wishlist.
naderman.de twitter: @naderman

Return to “phpBB Discussion”