»How to protect your phpBB forum against hackers«
|
||||||||
 anonymous2: "Playing with words" hahaha I was proving your choice of words wrong. A site isn't accidentally hacked. It's accidentally found. You are again playing with words. And in case of the Santy worm, that was attacking thousands of forums automatically I would even say, that it's "accidentaly hacked". anonymous2: I'm guessing the security report you submited was something about leaving the admin folder named "admin" as an exploit . . . I never submitted any security report. A phpbb moderator told me that it's my own fault that the .patch files (= the ones used to update a phpBB installation) destroyed my forum, since my forum was modded. When I pointed out that they either don't take modding seriously or don't take security seriously I was warned and my topic locked. anonymous 2: knn: But awstats as an installed server software should be even more frequent than phpbb. Thus your comment does not apply. What? Could you finish your sentence? There's no verb in it. It makes no sense at all. As if "should be" wasn't enough. OK, let me repeat:
Clear now? I am not saying that phpbb.com was hacked because of a phpbb bug. BUT: You simply can't trust what phpbb.com is saying. And they don't know themselves, since all their logs have been deleted. posted by knn |
||||||||
|
|
||||||||
| in-my-opinion.orgTechnology, Computers, Science, InternetSoftware by the adminHow to protect your phpBB forum against hackers |
|
|||
|
knn: I someone finds out your (= the admin's) password hash (for example due to a bug in phpbb, or because you use the same password on other (buggy) boards) then he could enter your admin area easily. I see, but anyways once a f*cking hacker gets access to your admin account, he can get rid of everypost! Hackers are sooo dumb 
Well, I'll follow this advice, I mean getting rid of the link to the admin panel, changing the name of the admin folder and creating a .htaccess file in the new 'admin' folder! I just wanted to thank everybody who posted tips to increase the security of phpBB, and whatever morons say, I agree with knn! posted by Guestman |
|||
|
|||
|
|||
|
Guestman: I see, but anyways once a f*cking hacker gets access to your admin account, he can get rid of everypost! Actually: No. If you delete (or rename) the Database backup function (admin_db_utilities.php) and the Forum management function (admin_forums.php) then a "fake admin" cannot do much, except browsing your forum and delete single posts and topics by hand. I am writing a phpBB Backup Suite now (will post it here soon), so you won't need admin_db_utilities.php anyway. You may also want to rename "modcp.php", so that mass deletions of topics aren't possible. posted by knn |
|||
|
|||
|
|||
|
A Goat: The worst possible person to comment on a program's security is the developer. Actually the developer knows what measures were taken for security. In most cases the person who reported it doesn't know what they are talking about. They think it is an exploit when it really isn't. knn: Yes, good link. BUT HOW THE HECK DOES ONE FIND IT? It's hidden under
"modifications -> upgrade tools" Is that where security updates should be? It's so hidden that a phpbb moderator even told me that there is nothing like that. • It's not under "Downloads" • It's not under "Support"  knn: Moreover, as far as I can see, their updates contain ALL KINDs of fixes, not only security issues.
If you go to phpbb.com, do you see any link to "Security related upgrades"? Like your first line, more than just security problems are in each upgrade. Bugs are also fixed. So you can't put every update of the software under a "Security related upgrade" category. IMO you shouldn't only upgrade because of security problems but also because of bug fixes. Just as much as I don't want unsecure software, I don't want buggy software. Anyways, the new Security Tracker you can find all of the submitted security problems that have been fixed and in what version. That way you can upgrade accordingly. knn: Oh, my gosh, this bug is described as "Next Development Version vulnerable to highlight exploit" (what the heck?) and when you click on the link THERE IS NO FURTHER INFORMATION. that's talking about Olympus. Know your facts before making any comments. knn: I never submitted any security report. A phpbb moderator told me that it's my own fault that the .patch files (= the ones used to update a phpBB installation) destroyed my forum, since my forum was modded. When I pointed out that they either don't take modding seriously or don't take security seriously I was warned and my topic locked. When you MOD your board you void it isn't vanilla anymore. Those patches are only guarenteed to work on vanilla boards. You can't blame someone else for something you did. How can phpBB not take MODding seriously when they have a section dedicated to it at their site? knn: As if "should be" wasn't enough. OK, let me repeat: Here would be the correct way to say your sentence since you don't seem to know how. "But awstats as an installed server software should be even more frequently installed than phpbb. Thus your comment does not apply." Installed is the verb, frequently is the adverb. knn: Awstats is a very frequent software on servers. Is is probably true but CPanel puts Awstats behind a password. Most people use CPanel and if they don't they still usually put Awstats behind a password. phpBB isn't used behind a password so I don't see how your statement applies. [quote• You state: phpbb.com was hacked NOT because of a bug in phpbb, OTHERWISE more hacks had occurred in OTHER forums.[/quote] search.msn.com... sourceforge.net... sourceforge.net... I think there are plenty of sites out there that could be hacked if it was a problem with phpBB. Quote: • I said, that Awstats is MORE used than phpBB thus if it was a bug in Awstats then more sites had been hacked. Like I said earlier, Awstats in most cases is behind a password. Any old user could browse your phpBB installation. Quote: • In other words: Your objection "No other forum hacks thus not a phpbb bug" does not apply. I think your objection doesn't apply. knn: I am not saying that phpbb.com was hacked because of a phpbb bug. BUT: You simply can't trust what phpbb.com is saying. And they don't know themselves, since all their logs have been deleted. When phpBB.com was hacked, other sites were also attacked by the same group that hacked phpBB through Awstats. Talking with the hackers also confirmed that it was through Awstats. knn: If you delete (or rename) the Database backup function (admin_db_utilities.php) and the Forum management function (admin_forums.php) then a "fake admin" cannot do much, except browsing your forum and delete single posts and topics by hand. Wrong. The hacker could delete every forum on your board and choose to delete all of the posts within that forum as well. Like I said, your tips are good. There is a point between what is necessary and what is just plain annoyning. Your tips are over on the annoyning side. I'm done, you think you know but you don't. There's no point in debating with you any further. posted by anonymous2 |
|||
|
|||
|
|||
|
Hi Installed the Encrypt Your config.php mod, It gave me a white page, so I deleted the a.php and restored the original config.php, this didn't help, what else did this mod do and how do I undo it? Please help! PS I tried to register but got a error Could not insert data into users table DEBUG MODE Line : 896 File : usercp_register.php posted by ShadowTek |
|||
|
|||
|
|||
 ShadowTek: and restored the original config.php, this didn't help, what else did this mod do and how do I undo it? Please help! Nothing. It doesn't even change your config.php. It only tells you HOW to change your config.php. If you edit it and something goes wrong then simply edit it back. I would say that if things don't work after you re-edited your config.php, then it's not the fault of my script. If you want you can PM me, so that we find out the reason why it failed. ShadowTek: PS I tried to register but got a error Ooops, sorry. Should be fixed now. I was experimenting with a new phpbb anti-spam measure. posted by knn |
|||
|
|||
|
|||
|
anonymous2: Its kind of hard not to find those MOD Template versions of the changes when it is linked to from the announcement about the new version. Look, I (as a user/webmaster of phpbb) tell you: The security updates _ARE_ hard to find. If you don't know where to look, you won't find them. Everybody can check what I mean: Go to phpbb.com and try to search for all security updates from, say, ver 2.0.5 to 2.0.12. Moreover, I don't see any link from the page you gave. There is only a link to a topic to more links. It's the situation I already described: The security updates are hard to find. I made a screencap to show everybody what I mean. anonymous2: Anyways, the new Security Tracker you can find all of the submitted security problems that have been fixed and in what version. That way you can upgrade accordingly. I ask everybody to see it for themselves who is right, me or you: Go to the security tracker at  I made 2 screencaps of your security tracker. The text is confusing, incomplete, doesn't hint at the seriousness of the security issue and doesn't lead to any URL with a fix. It's non-satisfactory, to say the least. anonymous2: Over 46 million pages contain "Powered by phpBB" So? Google lists 10'000-20'000 pages for this website alone (in-my-opinion.org). For phpbb.com it's 100'000+, for able2know.com it's 400'000. OK, that's not 100% correct, but you get the point. anonymous2: Around 10,000 downloads a day Doesn't say anything about installations. Maybe it's 8'000 hackers daily, trying to find a way in  anonymous2: Over 250,000 downloads of 2.0.11 since it was released Yes, THAT says something. anonymous2: There is a point between what is necessary and what is just plain annoyning. Your tips are over on the annoyning side.
I'm done, you think you know but you don't. There's no point in debating with you any further. I think, this statement alone shows the whole arrogance. How in the world can my security tips be annoying? Which one is annoying? The one that says "Password protect your administration area"? Or the one that says: "Log everything that happens on your server"? Or the one to "Allow admin logins from known IPs only"? It's unbelievable how anyone could make a statement like you. While I try to help others to secure their forum, no matter what bugs will be found, you try to insist that everything is OK as it is. [CLICK HERE TO VIEW THIS PICTURE] [CLICK HERE TO VIEW THIS PICTURE] [CLICK HERE TO VIEW THIS PICTURE] posted by knn |
|||
|
|||
|
|||
|
anonymous2: There is a point between what is necessary and what is just plain annoyning. Your tips are over on the annoyning side.
I'm done, you think you know but you don't. There's no point in debating with you any further. Just TODAY (as the above poster complains about my tips) 2 new security fixes had to be released: The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible Needless to mention, that my security tips had prevented intrudors from gaining admin rights. Sometimes I don't know whether I should cry or laugh, but that should show you how irresponsible anonymous2 acts. BOTH security issues (that had to be fixed in the newest phpBB version) had been prevented with my tips in this thread here. posted by knn |
|||
|
|||
|
|||
|
I'm trying to program little PHP programs. In your Thread you write about "security checking programs". Have you any links for these programs? It would be nice because I'd like to test a program security checking program 
Thank you. Greetings, Martin posted by pirast |
|||
|
|||
|
|||
 pirast: I'm trying to program little PHP programs. In your Thread you write about "security checking programs". Have you any links for these programs?
It would be nice because I'd like to test a program security checking program The only such programs to test for security holes in you phpBB installations can be found on hacker sites or sites that deal with phpbb issues. You can try phpbb security proof of concept ♣ or IT Security forum ♣ posted by knn |
|||
|
|||
|
|||
|
Hm OK, thank you. posted by pirast |
|||
|
|||
|
|||
|
Hey... ummm... i offer hosting to people on my site, and im on a shared host... how can i deny their ability to use a highlight.php file to view my config.php, which pretty much gives them full acces to my databse? i used the config encrypt one, for first measures but the above would be the BEST way to accomplish this. posted by CodeZero |
|||
|
|||
|
|||
 CodeZero: highlight.php file to view my config.php, which pretty much gives them full acces to my databse? highlight.php? What's that? posted by knn |
|||
|
|||
|
|||
 the problem with the "highlight" code PHP had in the viewtopic.php Quote: //
// Was a highlight request part of the URI? // $highlight_match = $highlight = ''; if (isset($HTTP_GET_VARS['highlight'])) { // Split words and phrases $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); for($i = 0; $i < sizeof($words); $i++) { and replace with: Code: // // Was a highlight request part of the URI? // $highlight_match = $highlight = ''; if (isset($HTTP_GET_VARS['highlight'])) { // Split words and phrases $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); for($i = 0; $i < sizeof($words); $i++) { posted by Sippenhaft |
|||
|
|||
|
|||
|
well... the thing is, that they are on my server. and they can make a file called highlight.php and direct it to my config.php which would show them the contents. then the a.php. and so forth. posted by CodeZero |
|||
|
|||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
Goto page Previous
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
 Register Log in |
The time now is 6 July 2008, 04:20 php B.B. |