Not again! Yep another evening down the tube.
The mirrors are all down still. Does make you wonder if a "smart" hacker is DoS attacking them while they work out where the hack is!
Hohum .... alternatives to phpBB anyone?
|Hohum .... alternatives to phpBB anyone? |
vbulletin, but they've had a few security update's recently.. personally upgrading phpbb is a LOT easier than vbulletin..
|Note: it seems that the download isn't yet available from the mirrors, but it should be there soon. |
Lots of SourceForge mirrors do not have it -- I found one that does: Ishikawa, Japan
The vBB security upgrades could also be handled by patches if you didn't want to go through the whole process.
This spate of security updates for major forum packages shows that it's a good thing to disguise your forum as much as possible. "Powered by", version info, etc., all make a forum an easier target. I'd never rely purely on "security by obscurity", but every little barrier helps.
|"Powered by", version info, etc., all make a forum an easier target. |
But would it really help for attackers who use automated programs to try to obtain unauthorised access to forum? They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.
Thanks for the alert - Ishikawa, Japan mirror has the changed files.
Beat me to it.
|They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites. |
- disallow all your .php files in robots.txt
- use mod_rewrite to make viewtopic and viewforum and /index.php appear as .html files.
- delete memberlist.php, viewonline.php, faq.php
The details of the vulnerability have been published in this iDefense Advisory [idefense.com]. The problem exists with the avatar upload function, which can be abused to access arbitrary files on the server.
|Exploitation of this vulnerability allows remote attackers to view arbitrary system files under the privileges of the underlying web server. An attacker must have, or be able to create an account on the target system. Non-default settings must also be enabled for exploitation to be possible. |
|"Enable remote avatars" and "Enable avatar uploading" must be enabled for the target to be vulnerable. |
It sounds as if most installations would be unaffected by this vulnerability. That doesn't mean that you don't need to update, but there is a lesser need for urgency than for the 2.0.11 release. A simple workaround is to simply disable remote avatars and avatar uploading.
I updated with the patch file last night with no particular problems: a few hunk failures where I'd previously made big changes, but it was easy enough to add the missing patches manually with the help of the .rej files. Things should go smoothly in most cases.
Thanks for the heads up encyclo. Will be fixing mine up tonight.
For those with modded forums, they are providing a changes update int he form of a mod.
Took me very little time to upgrade:
I gave up on phpbb a little while ago and switched to SMF ( [simplemachines.org...] ) and it works great, easy to convert over basic forums, if yours is heavily modified it might be a bit more work but still possible.
One thing that I like is having them send out notices about releases through their support forum. And it also tells you in the admin console with an easy link to update ;)