»How to protect your phpBB forum against hackers«

TIP B: Rename the folder "admin/" to something else. This is ONE OF THE BEST things you can do to keep crackers out.
After doing so you will most probably get an error message the next time you log in. Most probably you will have to • Open "includes/functions.php"
• Update

include($phpbb_root_path . 'admin/
with your new foldername.
• Open "admin/pagestart.php"
• Find

if ($HTTP_GET_VARS['sid'] != $userdata['session_id'])
• Before add:

if ($HTTP_GET_VARS['sid'] != $userdata['session_id'])
{
redirect(append_sid(
basename(dirname($HTTP_SERVER_VARS['PHP_SELF']),"/").'/'.basename($HTTP_SERVER_VARS['PHP_SELF'])
));
}

A weak point in phpBB installations is that "config.php" contains the database password and the table prefix as clear text = unencoded.

It reads something like

$dbuser = 'admin';
$dbpasswd = 'abc123';
$table_prefix = 'phpbb_'; 

Usually there is no way someone can view this file, but don't be so sure if there won't be some crack around. Actually there was a bug in PHP recently (not in phpBB but in PHP itself) that made it possible that intruders spy config.php out.

Also, when the %2725 bug hit the internet (see above) intruders could view "config.php" in clear text.

TIP A: I have written a mod that lets you use encrypted values for your phpBB config.php file:

•	Download the attachment (see below)

•	Upload "secureconfig.php" and "a.php" into the folder where your phpbb forum is located

•	Set the attributes of a.php to "world writable" (666)

•	Run "secureconfig.php" and replace the three parameters ($dbuser, $dbpasswd, $table_prefix) as "secureconfig.php" tells you when you run it.

•	Delete "secureconfig.php"

This security mod encrypts/decrypts the 3 values using the "server path"

$_SERVER['DOCUMENT_ROOT'] 

as the key.

The server path (= the path where your phpBB is installed) is something like

/home/users/tp1983/forumfolder/ 

and is pretty unique for each phpBB installation. Even on the same server this path differs for each phpBB installation.

Thus EVEN IF AN ATTACKER knows the decryption algorithm (from the attached file a.php) AND knows the encrypted password, he couldn't decrypt anything because the server path is unknown to him.

In other words: It's pretty secure. An intruder would have to find out your server path (which is unlikely unless an attacker has FTP access) AND he would have to know the code of "a.php" (which is unlikely, unless he knows in-my-opinion.org) AND he would need to install "a.php" somewhere AND he would have to modify it a bit.

Please note: If your path changes then you have to rerun the program.

•	Open "config.php"

•	Type in the clear text (= unencoded values) for the three parameters ($dbuser, $dbpasswd, $table_prefix)

•	Upload "secureconfig.php" and "a.php" again

•	Rerun "secureconfig.php"

TIP B: Don't use the same password for your database as you use for your FTP login or for phpBB login.

Make sure, when you edit your config.php, that the last line does not contain any character (not even a space or a newline) and contains only 2 characters:

?>