»How to protect your phpBB forum against hackers«
|
||||||||||||||||||
 Argh, hackers! 
This is a description how to make it harder for an attacker to harm your phpBB discussion board or to gain control over it, should a new security issue be found. Please also see my other phpBB mods at  My tips will help you to protect your phpBB no matter what future bugs or security issues will be found. And no matter what current security issues exist. Let's see the history of critical (= very serious) security issues: phpBB critical update to 2.0.11: My tips would have protected your forum phpBB critical update to 2.0.13: My tips would have protected your forum phpBB critical update to 2.0.15: My tips would have protected your forum phpBB critical update to 2.0.16: My tips would have protected your forum phpBB critical update to 2.0.17: My tips would have protected your forum phpBB critical update to 2.0.18: My tips would have protected your forum phpBB critical update to 2.0.19: My tips would have protected your forum Unfortunately, the creators of phpBB take the fixing of security issues not serious enough.
But whatever: This is NOT a description how to fix known bugs in phpBB anyway. Moreover it's NOT ENOUGH to fix the currently known bugs.
Right now, while I write this, phpbb.com itself is under attack. Their site is unavailable except for the text: At present phpbb.com is offline due to a group of politically motivated hackers.
... A third party application looks to have been the problem. ... Please do not ask us...we simply cannot comment at this time without having further information ourselves. Just as soon as we have a clearer picture, which depending on the condition of our server may be impossible to obtain, we will update the community. ... We are working to recover the server. ... The persons who attacked the site deleted all web access logs, all system logs and the root user log. Other critical system folders/files were also deleted The following tips will prevent 99% of cracks, since most of cracks are done by script kiddies ♣  who will not waste a lot of time with a single forum.
Some of the tips also apply to other than phpBB software, so you should read them, even if you don't use phpBB. posted by knn |
||||||||||||||||||
|
|
||||||||||||||||||
| in-my-opinion.orgTechnology, Computers, Science, InternetSoftware by the adminHow to protect your phpBB forum against hackers |
|
||||
 Often the ones who try to hack your forum don't even know your forum. They found you accidentally with Google. Often hackers look in Google for pages that contain "Powered by phpbb 2.0.3" ♣ or similar to exploit bugs in exactly this version. Thus change the text "Powered by phpBB" to something else. You can leave the link to  To change the wording simply change: "phpBB" to "php B.B." You may also consider to use a .gif image that says "Powered by phpBB". I have attached one (see below). You may also consider to use my "Floating Menu mod" (which you can currently see in the upper left corner, and which has some other advantages). You can download the mod from To effectively change the wording you need only to change the file "overall_footer.tpl" of your default template. If you want to hide the version info of your phpBB board then
[CLICK HERE TO VIEW THIS PICTURE] posted by knn |
||||
|
||||
|
||||||||||
|
THERE ARE BASICALLY ONLY the following .php scripts to mass delete forums/posts/topics. (If you know of more then please reply in this thread). In other words: If you limit the following methods, then an intruder can hardly harm your forum by mass deletion.
Thus if an intruder should gain control over 1 of these files (for example by intruding as a "fake admin" or a "fake mod"), then he can do much harm. Tip A: "admin_db_utilities.php" is probably the most important (= severe) of files and the most unimportant (= useless for everyday's admin's life). Simply delete (or rename) the file "admin/admin_db_utilities.php" If a attacker should gain control over your administration panel then at least he has no control over your database. If you don't delete the above file, an attacker who logs in as admin can alter ANY data in your database or delete the database completely: With the 3 words
You should use other means to backup your database anyway. I have written a phpBB Backup Suite. Check it out at IMO → PhpBB mod (freeware): Backup database and files Tip B: You can also delete (or rename) the file "admin/admin_forums.php". After you have setup your board (with all the sub forum names and descriptions, you will hardly need that file again). If you need it, then upload it again, change your forum structure and delete it again. Should you leave this file, then an intruder can delete any forum with a single click. Tip C: Another method how an intruder can delete a bunch of topics at once is with "modcp.php". You can rename this file to something else, which is actually a bad idea, since this file is needed to move/delete/merge/split topics. So the following approach is better: You can abolish the "Delete topics" function (hell, why do you need to delete a topic anyway?):
Now if you legitimately want to delete a whole topic then you have to delete it post by post. However, from my own experience I know of no case when deleting whole topic would make sense, EXCEPT in the event of an accidentally double post (= someone started a topic and pressed accidentally the "submit" button twice). But in that case such a topic consists of only 1 post, thus deleting it "post by post" causes not much trouble. Of course, an intruder (= logged in as fake admin or fake mod) could still delete posts manually one after one. But I think that's too tiresome for most of them. posted by knn |
||||||||||
|
||||||||||
|
||||||||||||||||||||
|
TIP A: Force an ADDITIONAL login to access the admin panel. I think one of the best ideas is to password-protect your admin folder. I have written a .php script that will do that for you.
TIP B: Rename the folder "admin/" to something else. This is ONE OF THE BEST things you can do to keep crackers out. After doing so you will most probably get an error message the next time you log in. Most probably you will have to
TIP C: If you want you can trick an attacker even more after you have renamed your admin/ folder (TIP B). Simply create a new "admin/" (= an empty folder) with only 1 ".htaccess" file inside. I have attached such a .htaccess file. It will annoyingly ask the intruder for a username and password. The intuder will think that the admin/ folder is password protected and will give up his attacks and will not search for the real admin folder. TIP D: Delete the admin link at the bottom of each page: You can do this usually by editing "page_tail.php":
Combined with the renaming of the "admin" folder (Tip B) it's an easy yet very effective measure.
posted by knn |
||||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||
|
Don't use "phpbb_" as table prefix. A lot of crackers assume that you use the default table prefix "phpbb_" for their SQL injection attacks. Think something up that is not obvious. It can be a really crazy prefix, most probably you won't ever need to know it again. Do the following to change your prefix:
posted by knn |
||||||||||||||||
|
||||||||||||||||
|
||||||||||||||||||||||||||
|
Cookie cracks are hacks where the attacker logs in as admin (or any other user) by manipulating a cookie on his own harddisk. Modern browsers refuse to accept manual changes in cookie files, but there are some ways around... These attacks only work if you have "auto-login" enabled. Disabling "auto login" will keep cookie crackers out but will mean a hassle for your users, since they have to login everytime they visit your website. Thus you may add the following code.
In other words: Autologin stays as before, except if someone tries to login from unusual IPs. To add this mod to your phpBB do the following:
Warning: If you think that you are on a safe side, just because you have updated to the newest phpBB version, then you are mistaken.
In other words: Install my mod AND rename your admin/ folder (see tip above).
posted by knn |
||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
|
||||||||||||||
|
Prevent future cracks that abuse the 'preg_replace()' exploits = 'highlight' vulnerability = Santy worm This is probably the WORST of all bugs. Most forums run on servers that host a lot of other domains. This hack allows an attacker to gain control over the whole machine. In other words: 1 unsecured phpBB forum can open the door for complete destruction of all other websites on that server (can be several thousand websites). In other words: You don't even have to know any of the websites but if only 1 phpBB forum exists on that server then an attacker may be able to delete each and every website, spy passwords out, distribute child porn and abuse the server to attack more unsafe phpBB discussion boards. TIP: Use ".htaccess" to disallow certain hostile URLs that could contain malicious code.
TIP: Search for
posted by knn |
||||||||||||||
|
||||||||||||||
|
||||||||
|
Make yourself the only one who can become admin = no other registered user (or intruder) can gain admin rights.
If you want to be the only admin AND the only mod
This Tip prevents the following: A user signing up as a new user and making himself a mod/admin by manipulating the database. So even if he is a "mod as per database" he wouldn't become a mod. That mod is not too powerful, since anyone who can manipulate the database can do some other harm to the databse. But it's a simple mod and it can frustrate attackers. posted by knn |
||||||||
|
||||||||
|
||||||||
|
OK, this will not prevent anything, but it helps you to find out what happened, should a 'hack in' occur TIP: Add database logging. If you use MySQL then do the following:
TIP: Add the "phpBB IP Logger Mod" (phpbb "IP Logger" ♣) posted by knn |
||||||||
|
||||||||
|
||||||||
|
Add the following php code to stop SQL injections cracks TIP: If you haven't updated to a phpBB version >= 2.0.10 do at least the following
posted by knn |
||||||||
|
||||||||
|
||||
|
Tips for programmers: If you are a programmer yourself (= if you make your own mods) then prevent SQL injection exploits and other attacks by following these tips: TIP: Never use "urldecode" or "rawurldecode" TIP: If you expect a number as user input, then make sure you use
TIP: If you want to output a user input (user -> html) then use
TIP: Always use quotes if you use a user input in an SQL query
posted by knn |
||||
|
||||
|
||||||||||||||||||||
|
A weak point in phpBB installations is that "config.php" contains the database password and the table prefix as clear text = unencoded. It reads something like
Usually there is no way someone can view this file, but don't be so sure if there won't be some crack around. Actually there was a bug in PHP recently (not in phpBB but in PHP itself) that made it possible that intruders spy config.php out. Also, when the %2725 bug hit the internet (see above) intruders could view "config.php" in clear text. TIP A: I have written a mod that lets you use encrypted values for your phpBB config.php file:
This security mod encrypts/decrypts the 3 values using the "server path"
The server path (= the path where your phpBB is installed) is something like
Thus EVEN IF AN ATTACKER knows the decryption algorithm (from the attached file a.php) AND knows the encrypted password, he couldn't decrypt anything because the server path is unknown to him. In other words: It's pretty secure. An intruder would have to find out your server path (which is unlikely unless an attacker has FTP access) AND he would have to know the code of "a.php" (which is unlikely, unless he knows in-my-opinion.org) AND he would need to install "a.php" somewhere AND he would have to modify it a bit. Please note: If your path changes then you have to rerun the program.
TIP B: Don't use the same password for your database as you use for your FTP login or for phpBB login. Make sure, when you edit your config.php, that the last line does not contain any character (not even a space or a newline) and contains only 2 characters:
posted by knn |
||||||||||||||||||||
|
||||||||||||||||||||
|
|||
|
I have already mentioned above how you can use the .htaccess file to protect yourself against the Santy worm. Please also add the line
posted by knn |
|||
|
|||
|
||||||
 The highlight exploit was the basis of the Santy Worm (see above). If we assume that noone actually searches for characters like
We shouldn't need such characters anyway, since even Google filters them out. In other words: For Google "\[]love%s]" is the same as "love s". posted by knn |
||||||
|
||||||
|
||||
 phpBB asks you to use this code:
Do you trust this monster? Me not. It calls the [ url ] handling 4 times and has been used (prior to 2.0.17) to steal cookies/passwords. Since 2.0.17 the code has been fixed, but I still don't trust it. Thus open bbcode.php and find the 4 lines that start with
Delete all these 8 lines and replace all 8 lines with the following
A nice side effect is that
So we are actually not only fixing a possible security hole but we are enhancing the URL handling posted by knn |
||||
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
Goto page
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
 Register Log in |
The time now is 22 August 2008, 04:27 php B.B. |