原始连接:http://www.in-my-opinion.org/in-my-opinion-3734.html
This is a description how to make it harder for an attacker to harm your phpBB discussion board or to gain control over it, should a new security issue be found.
Please also see my other phpBB mods at
1-4a.comand the backup suite at
IMO→PhpBB mod (freeware): Backup database and files My tips will help you to protect your phpBB no matter what future bugs or security issues will be found. And no matter what current security issues exist.
Let's see the history of critical (= very serious) security issues:
phpBB critical update to 2.0.11: My tips would have protected your forum
phpBB critical update to 2.0.13: My tips would have protected your forum
phpBB critical update to 2.0.15: My tips would have protected your forum
phpBB critical update to 2.0.16: My tips would have protected your forum
phpBB critical update to 2.0.17: My tips would have protected your forum
phpBB critical update to 2.0.18: My tips would have protected your forum
Unfortunately, the creators of phpBB take the fixing of security issues not serious enough.
| • |
They have no list of all security issues |
| • |
If you have modded your forum a lot (= installed/changed/reprogrammed your forum) you have no chance to update it to the newest (= most secure) state. The automatic updates won't work. |
| • |
They have no step by step guide how to fix each one of them. For example if your version is 2.0.5 then what do you do to manually update it to fix all security issues fast? |
| • |
They have no "security checking programs" which you could run and which would report all open security holes found. |
| • |
They have obviously no picture of an ideal scene. Their programming is designed to fix issues that arise instead of starting a "once-for-all-secure" plan. Cobblers. |
| • |
They are unpolite: When I mentioned that they either a) treat security issues not seriously OR b) modding not seriously then my topic was locked and I was warned. |
| • |
They even refused to fix a security bug (they claimed it was no security issue) that later caused the deletion of whole websites (see below: %2527 bug). |
But whatever: This is NOT a description how to fix known bugs in phpBB anyway.
Moreover
it's NOT ENOUGH to fix the currently known bugs.
| • |
Especially if you use mods (= third party software for your forum) you are at risk, since these mods may contain security bugs themselves. |
| • |
Some exploits are so serious that every minute counts. But take the fixing of 2.0.16 for example: It took phpBB approx. 14 days to fix a serious exploit. |
Right now, while I write this, phpbb.com itself is under attack. Their site is unavailable except for the text:
At present phpbb.com is offline due to a group of politically motivated hackers.
...
A third party application looks to have been the problem.
...
Please do not ask us...we simply cannot comment at this time without having further information ourselves. Just as soon as we have a clearer picture, which depending on the condition of our server may be impossible to obtain, we will update the community.
...
We are working to recover the server.
...
The persons who attacked the site
deleted all web access logs, all system logs and the root user log. Other critical system folders/files were also deleted
The following tips will prevent 99% of cracks, since most of cracks are done by script kiddieswho will not waste a lot of time with a single forum.
Some of the tips also apply to other than phpBB software, so you should read them, even if you don't use phpBB.
posted by knn 
