(I apologize if this has already been asked. I didn't see it.)
I run a couple of sites with phpBB 2.0.11. One of them is hosted at onewebhosting.com, and the other I host myself.
onewebhosting.com today told me that a vulnerability in phpBB compromised their server, and it took them seven hours to recover. This outage affected every customer on that server, of course, so they were not too happy with me or with phpBB. I assume this is the same vulnerability that affected phpBB.com.
They removed phpBB from my site, and say that they will not be allowing anyone to run it anymore. When I asked for alternatives, they suggested vBulletin. Of course, I don't want to pay $160 for a low-traffic site that doesn't make me any money and never will.
So, the big question is this:
IS IT CURRENTLY SAFE TO RUN PHPBB???
Of course I don't want my own server compromised, so I have taken down phpBB on that server as well, but I can't get a definitive answer to this question from the searching that I've done today.
Is it safe to use phpBB?
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: Is it safe to use phpBB?
There is no known security problem with 2.0.11, so feel safe to use it. If your host meant the current downtime of phpBB.com as the vulnerability in phpBB, then he must be very unwise to say so.
Please read the announcement on www.phpbb.com for why it was down.
~Mac
Please read the announcement on www.phpbb.com for why it was down.
~Mac
-
- Registered User
- Posts: 20
- Joined: Wed Jan 26, 2005 11:41 pm
- Location: Texas
- Contact:
Re: Is it safe to use phpBB?
vBullentin has problems too, just check out this article:
http://www.linuxelectrons.com/article.p ... 7112328367" target="_blank
http://www.linuxelectrons.com/article.p ... 7112328367" target="_blank
Re: Is it safe to use phpBB?
jjeffers>> There are no known security issues with phpBB 2.0.11 - the phpbb.com site was not compromised via phpBB, but via a vulnerability in another script which has nothing to do with the phpBB forum software.
What I believe happened was that someone else on your server was using a pre-2.0.11 version, which allowed the attack to occur. 2.0.11 was released months ago, yet many did not upgrade, leading to these issues.
It is indeed unfortunate the stance that your host has taken, but it is a rather ignorant stance to take, no offence intended. Every single popular forum software has had and will have vulnerabilities along with people who will take advantage of this, so he's just going eventually ban every software when a new issue pops up ?
What I believe happened was that someone else on your server was using a pre-2.0.11 version, which allowed the attack to occur. 2.0.11 was released months ago, yet many did not upgrade, leading to these issues.
It is indeed unfortunate the stance that your host has taken, but it is a rather ignorant stance to take, no offence intended. Every single popular forum software has had and will have vulnerabilities along with people who will take advantage of this, so he's just going eventually ban every software when a new issue pops up ?
Re: Is it safe to use phpBB?
Thanks to all for the replies. I agree that it's unfortunate for that particular web host to take the stand they did, but there's little I can do here. They are convinced that phpBB should be banned from their servers, so running it with that host is no longer an option for me, unfortunately.
However, for my own server, I can do whatever I like.
However, for my own server, I can do whatever I like.
Re: Is it safe to use phpBB?
It's funny to see how a webmaster or server administrator take decision... If I did the same thing for me, I would not run Windows Server or Linux as well, there is always security issues and update to do. I don't know any software who has no bug...
- smithy_dll
- Registered User
- Posts: 461
- Joined: Tue Jan 08, 2002 6:27 am
- Location: Australia
- Contact:
Re: Is it safe to use phpBB?
I wouldn't stay with them if they fail to keep their customers on shared servers in 'chrooted jails' to stop vunerabilities in software run by one affecting other customers.
I suggest next time you go looking for shared hosting asking the provider wether customers are run in 'chrooted jails' for added security.
I suggest next time you go looking for shared hosting asking the provider wether customers are run in 'chrooted jails' for added security.
phpBB, its open source, become involved, write a modification!
Modifications Database | MOD Development Forum Rules | MOD Studio
Re: Is it safe to use phpBB?
My forum had problems too so i upgraded to 2.0.11. The good news is that this foiled the attackers' renewed attempts, but the bad news was that the server was still affected (but then fixed by the host as below...). I asked my hosts about this and got two responses:
"the problem is hackers are still attacking the page regardless of
it having the correct patch causing a massive server load affecting other
customers. "
I can look up the .htaccess contents if anyone is interested. Perhaps this can be a suggestion given to any hosts who ban phpBB.Our systemadministrators have had to add a .htaccess file to protect your viewtopic.php file formhacking attempts. Whilst your own page is quite secure the attempts were failing but having a comparable effect to a DOS attack. THis .htaccess file will simply alleviate the effects of these hacking attempts and should not cause you any problems.
-
- Registered User
- Posts: 16
- Joined: Thu Jan 27, 2005 5:59 am
- Location: Louisville, KY
- Contact:
Re: Is it safe to use phpBB?
Sorry to hear that. I've been the victim of bad web hosting providers (there are MANY bad ones), like one that would claim that my scripts was causing CPU load problems. I don't even think the guy knew how to read the CPU figures he was looking at.jjeffers wrote: They removed phpBB from my site, and say that they will not be allowing anyone to run it anymore. When I asked for alternatives, they suggested vBulletin. Of course, I don't want to pay $160 for a low-traffic site that doesn't make me any money and never will.
I signed up for a virtual private server for about $25/mo and never looked back. It's still great now two years later.
Or at the very least, suEXEC. I cannot stress the importance of suEXEC, especially with all of the permission problems you run into without it. You shouldn't have to CHMod everything 777 for your write-access web scripts to work just because the web host is too dumb to run suEXEC.Davidls wrote: I wouldn't stay with them if they fail to keep their customers on shared servers in 'chrooted jails' to stop vunerabilities in software run by one affecting other customers.
Might be interesting to see how they are correcting the problem with an .htaccess file.scat0433 wrote: I can look up the .htaccess contents if anyone is interested. Perhaps this can be a suggestion given to any hosts who ban phpBB.
Re: Is it safe to use phpBB?
Many phpBB sites were torn down today thanks to a bug in viewtopic.php . I'm an administrator of a server with about hundred vhosts and there are four phpBB boards too. I'm not 100% sure but it seems that only boards with anonymous access were affected. To be sure I had to close all of them. These boards were installed by our trusted clients so PHP safe_mode was off for most of them. What happened is that unauthorized code was able to run under HTTP server privileges. Fortunatelly nothing really happened because I found out soon enough and HTTP server privileges are very limited. Though, I pity the fool® who runs his HTTP servers with root privileges.
If anyone is intrested in the worms source code then here you go:
1. http://ca.pri.ee/h2xx/dot345.txt" target="_blank
2. http://ca.pri.ee/h2xx/asw.txt" target="_blank
3. http://ca.pri.ee/h2xx/b0t.txt" target="_blank
4. http://ca.pri.ee/h2xx/udp.pl.txt" target="_blank
PS. In no way I'm affiliated with the persons who wrote these scripts. 1st and 4th file were found in /tmp directory and the other two very found by reverse engineering the code of the 1st script.
PS2. Check out the IRC server chii.radionova.info:5378 and channel #xdcz
If anyone is intrested in the worms source code then here you go:
1. http://ca.pri.ee/h2xx/dot345.txt" target="_blank
2. http://ca.pri.ee/h2xx/asw.txt" target="_blank
3. http://ca.pri.ee/h2xx/b0t.txt" target="_blank
4. http://ca.pri.ee/h2xx/udp.pl.txt" target="_blank
PS. In no way I'm affiliated with the persons who wrote these scripts. 1st and 4th file were found in /tmp directory and the other two very found by reverse engineering the code of the 1st script.
PS2. Check out the IRC server chii.radionova.info:5378 and channel #xdcz