|Client's phpBB 2.0.3 forum hacked by "Serbian Hacker"|
question... is phpBB inherently insecure?
Just got a message from an seo client that their phpBB 2.0.3 forum was hacked by the "Serbian Hacker." Forgive me if this is old news... I'm generally not involved with forum software.
The client tells me that they had been promptly following all suggested security updates, in part because I'd warned them about a prior series of phpBB hacks.
They're now considering going to another forum package, in part because they've been told that because phpBB is open source, it is inherently insecure. I'm sure this makes for a bigger target for hackers, but are there core security problems with phpBB (or, for that matter, with php itself) that would make such a move advisable?
PS: I realize the v2.0.3 build on this is complete conjecture and possibly a misstatement. I based it on the build of another forum they sent me to that had been hacked. The client has taken its bbs down for the time being.
At the time of writing the current version of phpBB stands at 2.0.14, so if the board they are running is only at 2.0.3, then they are 11 versions behind current. In that time there have been several extremely serious security problems which would enable a cracker to have complete access to the board. (I understand that the version number might be incorrect).
|because phpBB is open source, it is inherently insecure |
That is simply untrue, as the current state of Windows security shows: open source means that there can be no "security by obscurity", ie. no hiding of known bugs by the vendor. This means that crackers have easier access to the source code to analyze, but overall the security record of open-source is enviable compared to closed-source.
It is difficult to pinpoint the exact problem here without examining the site and server in question, but you could hypothesize that the phpBB was unpatched or incorrectly patched, or it may also be that the cracker got in using another vector: there have been recent vulnerabilities in PHP itself (prior to 4.3.10) and in the Awstats package, for example. The phpBB site itself was recently hacked in much the same manner, and it was the Awstats vulnerability which was the cause, not any phpBB one.
I posted a thread about phpBB security best practices a few months back which might interest you: [webmasterworld.com...]
phpBB has been through a few rough periods, but the current version is a very solid base for building a forum, with heavily-analysed and tried-and-tested code. You can't be sure that there are no more vulnerabilities, but it remains one of the best choices around for a general-purpose forum package.
encyclo - Thanks. I realized right after I'd posted that I had the version number wrong... and in fact I'd posted an alert here in December that some boards I use had been hacked and that upgrading to v2.0.11 was important. Unfortunately, we can't edit titles on our posts.
The v2.0.3 came from the version number of a site that was hacked by the same hacker. The client has taken its forum down temporarily, so I don't know whether they'd upgraded.
The client is considering another software package based on a recommendation from their developer... and I'm trying to get forearmed for discussions on the matter, because the phpBB installation was spiderable, and the developer is basically a designer, not a programmer. When I find out what that package is, I'll look into it, and I may post further.
Turns out the client is considering UBB Threads. I don't think they need the additional features. They're just thinking it's more secure.
I can find only limited info about UBB on WW... and nothing about the security aspect. Any specifics about UBB security to add here?
If the client is ten versions behind on phpBB, I would guess that ANY software they use will present a security risk. I suppose a "security through obscurity" approach might help a bit, but they really need a forum admin to keep on top of things. Critical updates need to be posted within hours, or at most a day or two, to avoid disaster.
|If the client is ten versions behind on phpBB... |
Please... please... please. I stated above that v2.0.3 was incorrect. I know they had at least v2.0.12, and I'm still trying to determine whether they'd upgraded to 2.0.13, which is considered a "safe" version.
Just shows the power of a title. BestBBS is my favorite board in the world, but I sure wish there were some way I could go back and edit the title and correct the first message.
Anyway, I'm in full agreement about open source... and I'm perhaps gradually I'm bringing the client around... but to do so I had to ask about what others with specific knowledge of phpBB thought about its security, assuming all is upgraded and patched.
The client has gone ahead and purchased UBB, and I'm thinking that keeping it secure will require as much attention as keeping phpBB secure. Anyone have any experience in this that they can share?
However keep in mind many sites are compromised when they are on old versions and accounts are obtained or created and not used till a further point. It could have been an old issue taken advantage of later in the future by the information gained during an exploitable time.
Sorry, I didn't notice the version clarification. I think the rules for securing forums aren't all that different than dealing with most software that users interact. I highly recommend Encyclo's thread - it's a great primer on security.
Don't forget frequent and secure backups - if the worst happens, you know you can be back in business very quickly.