Are there any exploits for PHPBB3?

[gian]

Hello. I am just talking about exploits that were in php2.0X version like the 2.0.12 and before major exploit.

Other than that does the phpBB group just code this developer realase with no watching the security and waiting to fix the bugs at betas and final realase or they work on fixing the secuirty bugs?

[Martin Blank]

The code is being reworked to enhance security through a number of features both visible (such as the re-authentication on ACP access) and behind-the-scenes (data validation, other limits). Code is constantly changing, so while there may well be exploits in the current code, they're likely to be dealt with in due time, and in any case, you shouldn't be running the CVS code in a live environment.

[olger901]

There may be, there may not be. However this is CVS version so there is never a guarantee there will or there won't be any.

[A_Jelly_Doughnut]

There are certinally security flaws in phpBB3. I am personally aware of one that is not fixed, and someone is exploiting. However, I won't disclose it until phpBB Group asks for bug and security reports on phpBB3.

And yes, tehy are currently looking at security flaws. See this checkin from last week.

[Acyd Burn]

There were a few security issues before, which all got fixed in CVS as we saw them (and they get fixed as we stumble accross them). We normally do not note them specifically within the cvs comments because at the moment it is not used in live environments... or is it? We also make sure the 2.0.x security issue fixes are also applied to the 2.1 cvs if they are true to olympus too.

A_Jelly_Doughnut: I have seen your board being attacked? Due to the nature it has happened i would guess it had to do with the cookie issue (gaining admin access) which has been fixed in 2.1 cvs a while ago (though it was at a completely different code section and maybe not easy to spot within a checkin mail).

[A_Jelly_Doughnut]

Could well be...not admin access because of re-authenticiation.

Didn't actually try the exploit on 2.1 CVS.

EDIT: yeah, it is fixed in current CVS, session.php revision 1.141

[gian]

ok that's good then. Because tutorials are everywhere about some exploits and especially the cookie one.

I just asked i don't want to run a phpBB3 maybe just for me to check it but not for many people.

P.S i know it's not the right place to ask this but if i install my sql and php in my pc can i run phpBB in my computer?

[dhn]

P.S i know it's not the right place to ask this but if i install my sql and php in my pc can i run phpBB in my computer?

You also need a webserver, but yes. That is possible. I suggest you do a google search for tutorials of how to do it.

[gian]

wat should i search for? Running phpBB localY?

[dhn]

wat should i search for? Running phpBB localY?

Would be a start. But I suggest you take a look at
XAMPP first.

Many people know from their own experience that it's not easy to install an Apache web server and it gets harder if you want to add MySQL, PHP and Perl.

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use - just download, extract and start.