Is it safe to use phpBB?

[jjeffers]

(I apologize if this has already been asked. I didn't see it.)

I run a couple of sites with phpBB 2.0.11. One of them is hosted at onewebhosting.com, and the other I host myself.

onewebhosting.com today told me that a vulnerability in phpBB compromised their server, and it took them seven hours to recover. This outage affected every customer on that server, of course, so they were not too happy with me or with phpBB. I assume this is the same vulnerability that affected phpBB.com.

They removed phpBB from my site, and say that they will not be allowing anyone to run it anymore. When I asked for alternatives, they suggested vBulletin. Of course, I don't want to pay $160 for a low-traffic site that doesn't make me any money and never will.

So, the big question is this:

IS IT CURRENTLY SAFE TO RUN PHPBB???

Of course I don't want my own server compromised, so I have taken down phpBB on that server as well, but I can't get a definitive answer to this question from the searching that I've done today.

[ycl6]

There is no known security problem with 2.0.11, so feel safe to use it. If your host meant the current downtime of phpBB.com as the vulnerability in phpBB, then he must be very unwise to say so.

Please read the announcement on www.phpbb.com for why it was down.

~Mac

[ByteEnable]

vBullentin has problems too, just check out this article:

http://www.linuxelectrons.com/article.p ... 7112328367" target="_blank

[Drexion]

jjeffers>> There are no known security issues with phpBB 2.0.11 - the phpbb.com site was not compromised via phpBB, but via a vulnerability in another script which has nothing to do with the phpBB forum software.

What I believe happened was that someone else on your server was using a pre-2.0.11 version, which allowed the attack to occur. 2.0.11 was released months ago, yet many did not upgrade, leading to these issues.

It is indeed unfortunate the stance that your host has taken, but it is a rather ignorant stance to take, no offence intended. Every single popular forum software has had and will have vulnerabilities along with people who will take advantage of this, so he's just going eventually ban every software when a new issue pops up ?

[jjeffers]

Thanks to all for the replies. I agree that it's unfortunate for that particular web host to take the stand they did, but there's little I can do here. They are convinced that phpBB should be banned from their servers, so running it with that host is no longer an option for me, unfortunately.

However, for my own server, I can do whatever I like.

[BiDoU]

It's funny to see how a webmaster or server administrator take decision... If I did the same thing for me, I would not run Windows Server or Linux as well, there is always security issues and update to do. I don't know any software who has no bug...

[smithy_dll]

I wouldn't stay with them if they fail to keep their customers on shared servers in 'chrooted jails' to stop vunerabilities in software run by one affecting other customers.

I suggest next time you go looking for shared hosting asking the provider wether customers are run in 'chrooted jails' for added security.

[scat0433]

My forum had problems too so i upgraded to 2.0.11. The good news is that this foiled the attackers' renewed attempts, but the bad news was that the server was still affected (but then fixed by the host as below...). I asked my hosts about this and got two responses:

"the problem is hackers are still attacking the page regardless of
it having the correct patch causing a massive server load affecting other
customers. "

Our systemadministrators have had to add a .htaccess file to protect your viewtopic.php file formhacking attempts. Whilst your own page is quite secure the attempts were failing but having a comparable effect to a DOS attack. THis .htaccess file will simply alleviate the effects of these hacking attempts and should not cause you any problems.

I can look up the .htaccess contents if anyone is interested. Perhaps this can be a suggestion given to any hosts who ban phpBB.

[SineSwiper]

They removed phpBB from my site, and say that they will not be allowing anyone to run it anymore. When I asked for alternatives, they suggested vBulletin. Of course, I don't want to pay $160 for a low-traffic site that doesn't make me any money and never will.

Sorry to hear that. I've been the victim of bad web hosting providers (there are MANY bad ones), like one that would claim that my scripts was causing CPU load problems. I don't even think the guy knew how to read the CPU figures he was looking at.

I signed up for a virtual private server for about $25/mo and never looked back. It's still great now two years later.

I wouldn't stay with them if they fail to keep their customers on shared servers in 'chrooted jails' to stop vunerabilities in software run by one affecting other customers.

Or at the very least, suEXEC. I cannot stress the importance of suEXEC, especially with all of the permission problems you run into without it. You shouldn't have to CHMod everything 777 for your write-access web scripts to work just because the web host is too dumb to run suEXEC.

I can look up the .htaccess contents if anyone is interested. Perhaps this can be a suggestion given to any hosts who ban phpBB.

Might be interesting to see how they are correcting the problem with an .htaccess file.

[ventiil]

Many phpBB sites were torn down today thanks to a bug in viewtopic.php . I'm an administrator of a server with about hundred vhosts and there are four phpBB boards too. I'm not 100% sure but it seems that only boards with anonymous access were affected. To be sure I had to close all of them. These boards were installed by our trusted clients so PHP safe_mode was off for most of them. What happened is that unauthorized code was able to run under HTTP server privileges. Fortunatelly nothing really happened because I found out soon enough and HTTP server privileges are very limited. Though, I pity the fool® who runs his HTTP servers with root privileges.

If anyone is intrested in the worms source code then here you go:

1. http://ca.pri.ee/h2xx/dot345.txt" target="_blank
2. http://ca.pri.ee/h2xx/asw.txt" target="_blank
3. http://ca.pri.ee/h2xx/b0t.txt" target="_blank
4. http://ca.pri.ee/h2xx/udp.pl.txt" target="_blank

PS. In no way I'm affiliated with the persons who wrote these scripts. 1st and 4th file were found in /tmp directory and the other two very found by reverse engineering the code of the 1st script.

PS2. Check out the IRC server chii.radionova.info:5378 and channel #xdcz