Proposed code review of phpBB

[vanderaj]

Hi there,

let's start again.

I wish to help the phpBB team perform a thorough code review of their phpBB 2.0.x code to weed out existing and avoid adding security holes in the future.

Why offer to help? I don't use phpBB but am directly affected by its issues. I share my infrastructure with many phpBB boards. Every time it (or other software) gets taken out, I lose thousands of posts as my hoster has a system compromise policy where they restore the entire machine back to before the attack. Please note that phpBB is not the only software to blame here, but it's one of the ones that caused a few restores this year already.

The reason for not just doing a code review by myself is to help phpBB coders to "learn to fish rather than just providing the fish". I realise that there are people here who understand PHP security (ie already know how to fish), but I wish to help really raise that bar even more. In addition, I don't have a lot of time, so a few volunteers really helps speed this process and makes the process a lot more effective.

The method I use is the six step MS threat risk modelling process, using the OWASP 2.0 Guide as a checklist. I am the current technical editor and lead author of this effort:

http://www.owasp.org/" target="_blank
Latest draft:
http://www.greebo.net/owasp/" target="_blank

When I do code reviews, I look for the highest risk interactions, and move down the food chain. For example, I always start with data validation as it's hard to get right, and I check for coverage. PHP is notorious for being difficult to validate due to compatibility reasons, register globals, etc. phpBB takes the correct approach, but the recent issues in 2.0.13 are all about coverage. That's where a fine toothcomb approach to coverage is essential. Some things, like password policies are informational at best for forums and are rated as such.

I then work through the major headings:

authentication *
authorization *
session management *
error handling and logging
data validation (most of the time I look at strategies and implementation of centralized routines and see if they can be improved) *
canocalization, locale and unicode
File system *
Buffer overflows - skip unless you call outside programs insecurely
Admin interfaces *
Cryptography
Privacy
Configuration
Deployment

* areas where 2.0.13 has known bugs on Bugtraq "discovered" in the last 10 days.

For older code bases, I look at maintenance issues as well. As you'll correctly spot in the OWASP Guide 2.0 drafts, I haven't finished some sections. I'll have to do those from memory. Web application security has been my day job since 1998, well before most people really thought hard about this area. I've been doing security since 1995. I mostly work for large financial institutions, and that's where I'm working right now. I have recently finished a code review of an Internet banking system which processes about a quarter of Australia's total online transactions.

Usually a code review of the phpBB's magnitude will take about a month to do, and come in as a report of around 100 pages. The usual cost to commercial clients for a code review comes in at around $USD 20,000 - 30,000 depending on how detailed it is, and what sort of people are assigned.

Obviously, this is out of the reach of any volunteer project, so I hope that everyone realises I'm not here to put people's noses out of joint, but to volunteer a significant and valuable amount of my time, transfer knowledge into the team and to permanently help phpBB be more secure.

Who would like to help?

Andrew

[Ybarra]

I think your problem is that this post doesn't belong here. Or on http://www.phpbb.com." target="_blank

If you're asking users if they'd like PHPBB reviewed for them, then fine. You can do that. The code is right there for you to review.

But you aren't. You're asking the developers if they'd like you to review their code with them present so you can teach 'em a thing or two. Why post this in an open forum? They're not gonna respond to you here. Sounds like something you email or send in a PM. 99% of the users here have no interest in development and/or learning security specifics. They're just waiting for their favorite forum software to be finished.

BTW...what kinda help are you looking for?

[vanderaj]

If this is the development forum, why wouldn't the developers respond? Or do the developers have a secret forum or just mail / messenger each other but do not respond here? If so, that's a bit depressing.

I just want a bit of volunteer time to help make the job more approachable. My out of hours life is busy enough without taking on a project of this magnitude. Divide and conquer.

Andrew

[q3utom]

If this is the development forum, why wouldn't the developers respond?

Its the development forum for version 3.0 not 2.0. That is why you need to go to http://www.phpbb.com" target="_blank to discuss this.

[Elarion]

But as Ybarra says, I don't think its the kind of thing that devs will want to respond to publicly.

Take the last locking and previous deletion of your topic as a sign, this isn't the place to post.

[vanderaj]

Ah, but the people over at phpbb.com deleted my thread and suggested I post here.

So if I can't talk to the devs here, who releases the 2.0.x fixes? It's not the tooth fairy.

Andrew

[vanderaj]

But as Ybarra says, I don't think its the kind of thing that devs will want to respond to publicly.

Take the last locking and previous deletion of your topic as a sign, this isn't the place to post.

Security through obscurity never works. Of all the releases of phpBB 2.0.x, which ones weren't for security matters?

*I* locked my previous thread on area51. The mods of http://www.phpbb.com" target="_blank deleted the other thread and suggested nicely that I come here.

Stuck.

Andrew

[Elarion]

Its the development forum for version 3.0 not 2.0. That is why you need to go to http://www.phpbb.com" target="_blank to discuss this.

You're asking for devs to run through code for the 2.0.x branch of phpBB, so this isn't the place to ask. If the devs want your help, I'm sure they'll send you a PM. There isn't any need to keep posting the same topic, even after you locked your own thread.

The devs are extremely busy trying to get 3.0.x out, so cut them a little slack. Over the past few weeks we've had countless posts of "When will 3.0.x be out?" and I'm sure if its starting to get on users nerves, the devs will be even more *beep* by it. I also think that if you want to do it independantly of the phpBB devs and then present it to the devs, that will be slightly more productive than asking devs to take time out from developing 3.0.x.

[Elarion]

But as Ybarra says, I don't think its the kind of thing that devs will want to respond to publicly.

Take the last locking and previous deletion of your topic as a sign, this isn't the place to post.

Security through obscurity never works. Of all the releases of phpBB 2.0.x, which ones weren't for security matters?

*I* locked my previous thread on area51. The mods of http://www.phpbb.com" target="_blank deleted the other thread and suggested nicely that I come here.

Stuck.

Andrew

Well if I remember correctly, the whole 2.0.x branch updates have been security related. No or little new features have been added since the initial release of 2.0 and thats how it will stay until 3.0 is released.

I see where you're coming from and what you're trying to do. I'm sure the devs and community would appreciate it. What they won't appreciate is adding a needless delay to the release of 3.0.x by taking up phpBB devs time to do it.

[Grrrrump]

It's very generous for you to offer to help improve phpBB 2.0.x security without fee, but I'm a little confused as to how the process would actually play out, and maybe I'm not the only one. If you get volunteers who are not on the development team (you seem to be asking for community invovlement), how will that help the developers directly to be better fishermen?

Just wanting to make sure that you understand a lack of response within the community ought not to be taken as a lack of interest. A lack of repsonse by the developers probably ought not to be taken as a lack of interest either; in their case, I'm sure they'd appreciate the favor of being given time to evaluate the whole idea (assuming they're even aware of it). They seem to have their hands very full, and essentially you're asking them to fill them up even more. Not a bad thing since the issue is security, but hopefully you see what I'm driving at.