# making phpBB more secure

## mordredP

i installed phpBB on my server, but i need to make it more secure than it is. Any advice on what to do to prevent exploits? I mean, not considering the holes that phpBB may have, is there something to improve the general security of the forum?

thanks

----------

## Kurt Steiner

Use SSL.  :Smile: 

----------

## mordredP

 *Kurt Steiner wrote:*   

> Use SSL. 

 

i doubt that would make any difference except for the users..

----------

## Monkeh

As long as you keep it up to date it's generally safe. Just check daily for updates, and apply them the moment you have a minute free to do so.

----------

## tomk

Sign up to phpBB's announce list (actually found that if you monitor their sorgeforge page then you get the news of releases quicker). For extra security you can turn off certain features which could leave you more vulnerable. Features to be considered for disabling are: automatic logins, HTML, BBcode, remote avatars, all avatars, the [img] tag (you'll need to hack the code to switch this off).

Obviously some of these features are useful and disabling them doesn't bring very much extra security, so you'll want to weigh up the benefits and drawbacks.

Edit: you should probably also sign up to the full-disclosure mailing list as phpBB exploits/security vulnerabilities are sometimes posted there before they are fixed by phpBB.

----------

## rev138

Out of curiosity, how is the [img] tag a security risk?

----------

## tomk

 *rev138 wrote:*   

> Out of curiosity, how is the [img] tag a security risk?

 

Someone could have a remote file that appears to be an image, but is actually a script which is used to steal cookie information.

----------

## mordredP

 *tomk wrote:*   

> Sign up to phpBB's announce list (actually found that if you monitor their sorgeforge page then you get the news of releases quicker). For extra security you can turn off certain features which could leave you more vulnerable. Features to be considered for disabling are: automatic logins, HTML, BBcode, remote avatars, all avatars, the [img] tag (you'll need to hack the code to switch this off).
> 
> Obviously some of these features are useful and disabling them doesn't bring very much extra security, so you'll want to weigh up the benefits and drawbacks.

 

First of all, thanks for the info. It is what i was searching for.. I have some more questions though:

- Automatic logins: do you mean cookies in general?

- BBcode: is it really dangerous to keep it on? (it is on on this forum right?)

- Avatars: i see that gentoo forum allows avatar uploading, so i guess it is good.. I understand the issues about remote avatars so i guess i'll turn it off  but as i won't hack the phpBB code i wonder if the issue is similar to the [img] tag exploit (in this case there's no point in disabling it, right?). If yes, how did you cope with it on this forum?

So, my answer is: how did you try and solve the issues you pointed out? (if it is something you can disclose) And.. do you use any mod on this forum?

----------

## tomk

 *mordredP wrote:*   

> 
> 
> - Automatic logins: do you mean cookies in general?
> 
> 

 

No just automatic logins, as of phpBB 2.0.18 there is an option in the configuration part of the Admin Control Panel. If you use auto-logins and someone steals your cookie there is a posibility that they could log in as you (although they've tightened up the auto-login code a lot in the last release, so the risk is now pretty minimal). If you don't use auto-logins then the only thing that someone could obtain by stealing your cookie is which topics you've looked at.

 *mordredP wrote:*   

> 
> 
> - BBcode: is it really dangerous to keep it on? (it is on on this forum right?)
> 
> - Avatars: i see that gentoo forum allows avatar uploading, so i guess it is good.. I understand the issues about remote avatars so i guess i'll turn it off  but as i won't hack the phpBB code i wonder if the issue is similar to the [img] tag exploit (in this case there's no point in disabling it, right?). If yes, how did you cope with it on this forum?
> ...

 

These two are more preventative than anything else, most of the security vulnerabilities that phpBB has had this year were related to either image or bbcode exploits. So if you keep on top of updates and keep an ear to the ground for potential exploits and act quickly when one is found then you shouldn't have a problem.

Remote avatars have the same problem as [img] tags, with avatars that are uploaded there are several checks to make sure that they are images and not exploitable scripts. You just can't do that remotely, especially as the image could be changed after it's been checked. Disabling the [img] tags is straight forward, just comment out two lines in includes/bbcode.php (just below line 256 in our file).

 *mordredP wrote:*   

> 
> 
> So, my answer is: how did you try and solve the issues you pointed out? (if it is something you can disclose) And.. do you use any mod on this forum?

 

We have disabled certain features here to increase security, with the other ones we feel that the security risk is low enough to not have to disable them, although if an exploit is found then we either patch the code or disable the feature until phpBB release a patch. We would even disable the entire forums if the risk was large enough.

As for mods, we've installed a couple but most of the modifications we do ourselves (as you can see in our cvs tree.)

----------

## sschlueter

 *tomk wrote:*   

> 
> 
> As for mods, we've installed a couple but most of the modifications we do ourselves (as you can see in our cvs tree.)

 

Is this the version of phpbb that is used for forums.gentoo.org?

And is there anonymous cvs access for this repository?

----------

## appleboy

I'm also curious about this as I'm looking back into phpBB again with .18 but want to be safe rather then sorry due to the fact that the last time I ran one my system got slightly comprimised, up to the point that they were able to run a program using my system as a DoS host, which really sucked on my outbound connection

----------

## tomk

 *sschlueter wrote:*   

>  *tomk wrote:*   
> 
> As for mods, we've installed a couple but most of the modifications we do ourselves (as you can see in our cvs tree.) 
> 
> Is this the version of phpbb that is used for forums.gentoo.org?

 

Yes.

 *sschlueter wrote:*   

> And is there anonymous cvs access for this repository?

 

Unfortunetly not, although there may be in the future.

----------

## amne

Apart from securing phpBB itself some things can increase your security as well:

Use a decent browser - the last two bigger vulnerabilities (one with bbcode, the other one was with uploading malicous avatars) only affected the Internet Explorer. Stolen username/password cookies are annoying for users, but a hijacked admin account can really mess up stuff.

Don't log in as admin from boxes/networks you cannot trust.

As tomk already mentioned, follow full disclosure, bugtraq and/or other security relevant mailing lists.

----------

## thoughtform

phpBB is hard masked now...

what are the alternatives to phpBB? i've browsed through 

that catagory in packages.gentoo.org but I don't see much

that appears to do what phpBB does.

----------

## wjholden

You probably want to keep a close watch on what PHP features are enabled through php.ini.

----------

## thoughtform

i found punbb

looks very nice so far.

http://www.punbb.org/

it was easy to setup, too.

----------

## pjp

 *Scorpaen wrote:*   

> what are the alternatives to phpBB?

 You can take a look at this thread (old but it may help):  Migrating to a commercial PHP-based forums package. 

Or just unmask phpbb.

----------

## appleboy

I checked out punbb, which if all you want is what it provides, its quite nice, but if you want to add stuff, you're going to be doing a lot of hacking.

My suggestion, if you're good at php, is to get .18 off of phpbb.com and strip out the stuff you don't use. I did that on my second install, works like a champ and hasn't been exploited yet. Then again, I've been doing a lot of work on beefing up the security of my machine.

----------

## sschlueter

 *Scorpaen wrote:*   

> 
> 
> what are the alternatives to phpBB?
> 
> 

 

Since this thread is about security, you should take a look at SMF.

At least its security history seems to be far better than phpBB's.

See http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb and http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=smf

On the other hand, a small number of publicly reported security related bugs doesn't neccessarily indicate high source code quality. Popularity of the software is of course another important factor. And of course security bugs differ in severity...

----------

## Ijo

 *tomk wrote:*   

>  *sschlueter wrote:*    *tomk wrote:*   
> 
> As for mods, we've installed a couple but most of the modifications we do ourselves (as you can see in our cvs tree.) 
> 
> Is this the version of phpbb that is used for forums.gentoo.org? 
> ...

 

tomk,

Can you give us an update on phpBB and security? Has it improved in .19?

I'm about to create a new forum site and I would like to do phpBB but these type of messages are making me worry about it.

If you would have to do gentoo forums from scratch would you use phpBB or other one?

thanks a lot

----------

## tomk

 *Ijo wrote:*   

> tomk,
> 
> Can you give us an update on phpBB and security? Has it improved in .19?
> 
> I'm about to create a new forum site and I would like to do phpBB but these type of messages are making me worry about it.
> ...

 

Well yes and no, some XSS vulnerabilities have been fixed as well as code to prevent dictionary login attacks but at the same time another security vulnerability has been introduced. This has been fixed in phpBB's and our CVSs but they haven't released a new version because of it.

The overall security situation with phpBB has improved greatly compared to earlier versions (2.0.18 was especially good in this aspect) but there are bound to be vulnerabilities which have yet to be discovered.

If I had the time and inclination I would write one from scratch instead of using phpBB.

----------

