I had problems upgrading my copy... what is the simplest way to upgrade from 2.0.10 without losing templates etc?...

Is it ok to upgrade it the way I did below.

I renamed my forum directory to forumOLD, as a temp backup just in case I ran into a problem.

I downloaded 2.0.11, and uploaded it to the original forum directory, but did not upload the install and contrib files.

Then I uploaded my original config file from forumOLD.

Everything seems to work fine.

Is this OK, or is there a reason to run install again?

Doing it this way only took 5 minutes, and is an easy fix for anyone if it works OK.

Thanks!

lawman, I run into people that tell me things like, "do you want to reinvent the wheel", and "ask people to make their own clock".

I am not asking for anything like that. Telling people to invent their scripting language, then writing a script for it would.

All I am saying is, instead of asking me for the time, buy a watch, and put it on your wrist. You do not believe me, but I've seen it. People have more trouble configuring 3rd party software than they would if they maintained their own scripts. Believe me, it's worth the time. Learn PHP and MySQL, you will feel like you own your site. Also, hackers have better things to do than write cracks for scripts that only a few people use.

fcharrua, I agree that running self-created software is one way to avoid exploits which target the high-market share apps, but writing a functional forum package is way beyond what most webmasters can do (or are willing to do). Most will rely on commercial or open-source software. In this thread, let's focus on the phpBB exploit/patch/upgrade issue; if people want to talk about "write your own" forum software, let's start a different thread for that purpose.

One fairly scary aspect about this exploit is that many web hosts will auto-install phpBB for their shared hosting clients; it's free, and well-regarded. Now, these hosts have hundreds or thousands of installations that may be compromised. Usually, the software is maintained by the user after initial installation - they may have applied hacks or changed code on their own, which means the host can't just slap in replacement code. Messy situation...

I downloaded the update but have not installed it yet.

If I install it, will I lose all of my current threads and settings? I couldn't find online if this would happen or not, so I've waited so far.

TIA

From all the reports I've seen about hacking attempts on 2.0.10 (and earlier) boards, and boards that upgraded to 2.0.11 *after* they had already been hacked (and had backdoors installed), I'd recommend to EVERYONE to upgrade their forums right away.

Dillonstars: the upgrade from 2.0.10 to 2.0.11 won't directly affect any templates, so you should be okay. If you have any mods installed, you might have to reinstall them if they've modified files that are included in the 2.0.11 upgrade.

Faltered: you won't lose any of your current threads or settings by upgrading to 2.0.11 -- but, as with any upgrade, be sure to back up your database and forums directory first. And based on what's going on with the forums that *haven't* been modified, there's definitely a chance you could lose everything if you don't upgrade...

Good luck!

Dave

webwit: went one better, did pretty much the same as you did, but uploaded only the files from the "Changed Files" package. Seems to be working just fine, though I still have to retweak all the files for my mods. Oh well - small price to pay for security!

[Edit: if you use the Changed Files Only method, you need to set up an install folder under your phpBB2 folder, put the update_to_2011.php file in it, then open a browser window and navigate to your phpBB2 folder and run the update file to change the version number....]

[edited by: vkaryl at 2:46 am (utc) on Dec. 14, 2004]

Yes, I had one of mine hacked just yesterday. It wasn't a busy forum, and the problem was very easy to fix, but definitely patch your boards up right away.

My host notified everyone so I had it done the next day :D

What about taking the version number off the footer?

I upgraded and know what the version number is.

Why let hackers know what version you are using?

Note to everyone.

A nice feature about 2.0.11 is built-in visual confirmation (CAPTCHA) checking during registration. You have to turn it on from the Adminstration Panel->Configuration menu, but since we've done, it's stopped the frequent spam registrations we used to get.

thx

Hmmm. webwit, that's an interesting observation. Maybe a good idea....

webwit, your update method should work well, but you should also run the appropriate update script from the 2.0.11 install directory. You're correct in saying that it's a good idea to remove the version number from the footer, even though in itself it adds no real additional security other than obscuring the fact that you mght be running an oudated version.

I have added a thread with some ideas for improving general security here [webmasterworld.com].

Does anyone know if the 'Hackers'can access other files on your website besides the PHPBB forum files through this PHPBB exploit? One of my sites that was running a PHPBB forum and also other pages, was first defaced and then deleted recently. Just wondering whether the hackers used this exploit. I had a backup so was able to restore the site without much problem. But since then I have deleted the PHPBB forum from that site.

Does anyone know if the 'Hackers'can access other files on your website besides the PHPBB forum files through this PHPBB exploit? One of my sites that was running a PHPBB forum and also other pages, was first defaced and then deleted recently. Just wondering whether the hackers used this exploit. I had a backup so was able to restore the site without much problem. But since then I have deleted the PHPBB forum from that site.

Under most common hosting setups, if an attacker breaks in using the 2.0.11 exploit they can access ANY file on the Whole Server!

This is due to the expoit providing shell access as the web server user, and unless you are running php under cgi mode ( rare ) then all websites run as the same user.

So even if you have patched phpBB, if someone else on your server is running an unpatched version you could still be at risk.

And once your site or someone elses site is hacked, they can install a back door and even phpbb will not help. This is common btw, happened on 2 of my servers using 3 different back doors. PHPBB did not disclose this properly and I had a go at them, resulting in the 2.0.11 upgrade reminder annoucement thread.

Couple of weeks ago our server crashed. We have a dedicated server. We had phpBB 2.0.9 installed. I am not sure if this caused teh problem of teh crash, but maybe someone can tell form the symptoms that I will explain. Hosting company had hard time brining server back up for 2 days. They finally said that some config files had been corrupted and they had to reinstall the whole server. They even gave us a brnad new server and installed the old drive as a backup. After they brought back the server from the backup by copying all files over from old hard drive, we found that our phpBB forum folder was missing completly. STRANGE!
Fortunatly there was a mySQL data backup on the server so I was able to re-install it. Do you guys think that this was a phpBB hack that caused our server crash?

My suspecioin was that this caused the crash and I upgraded immediatly. Worst part is that I knew of the security upgarde but didn't think it was so serious and ignored it :(