Ouch. I think 2.0.12 was the shortest-living version of any software package, and whilst 2.0.12 fixed minor bugs, this one fixes a bug which gives anyone Administrator access to a board.

If you do nothing else, do this (don't post until you've done it!):

Open

includes/sessions.php

Find:

if( $sessiondata['autologinid'] == $auto_login_key )

Replace with:

if( $sessiondata['autologinid'] [b]===[/b] $auto_login_key )

It's amazing how much damage a missing equals sign can do.

Cheers for the heads up.

This is getting beyond a joke, 2.0.13 already?
I'm getting fedup of spending most of my day upgrading the board and reinstalling all my mods.

Luckily these ones are patchable.

I do like the new little warning system in the admin panel though, first thing I did after reading that was come here!

I've got around 20 forums.
Fortunately, I was able to update all them in about 30 minutes. I guess I'm a seasoned pro now. :)
The 2.012 update is a little more lengthy.

The next version of phpbb (3.0) is designed with many more security features.

Anytime a peice of software gets popular, you can bet people will find exploits.

I've noticed a few of these 404s in my logs lately:

[example.com...]
[example.com...]

and the like. I don't have Phpbb, but I presume this is aimed at people who forget to delete certain files that they really should.

if you believe anyting those guys say about security at this point you need help.

I am grateful that they are very open and very quick to fix things but I don't expect anything out of them thats not buggy.

Have you actually read the code? Awful stuff.

Rosalind, they are looking for "half" installed copies of phpBB.

phpBB will not "work" until you delete the /install and /contrib directories. As such, some hosts, install it up to this point for new users, and the new users forget about it because they don't use it.

dvduval,

How do you update 20 forums in 30 minutes?

I'm running 7 forums and it takes almost days to update them all...then readd the mods.

2.013 is 2 lines of code

Gotcha, I thought you referring to 2.0.12 as well.

Just curious, do you use the patches or do you just overwrite with the new files and readd your mods?

wow that was a waste of time lol :P too many forums!

This is getting silly with all the holes in phpBB. I like phpbb's functionality but I don't like the possibility of my server being owned by scriptkiddies through some forum software.
phpBB is just insecure software, so it seems. I looked at the code a bit and I'm sure I could find lots more security holes. But then again when I search on google for exploits on any given phpBB alternative coded in PHP I find lots for them as well :-(
I'd code a secure forum from the ground up myself but it would be a massive amount of work to match phpBB's functionality. Really a bit lost here what I should use for a forum.

I like phpBB and want to use it, but the rise in popularity and consequent malicious attacks mean that security needs to be as good as the software itself. Continuous fixes are not really a viable solution for such widespread software, and I can't have phpBB on my site if it means waiting for a security breach to happen.

What about VBulletin, is it safer?

Thanks,

Jeremy

Are there any other decent free alternatives to phpbb? (that would also be able to import my phpbb messages?)

>>What about VBulletin, is it safer?

I don't know if it is inherently safer from a design viewpoint, and I don't want to get into the "open source is more/less prone to hacks than commercial software" debate.

vBB has had about three or four security updates in the last six months or so; all were available as upgrades (incorporating other minor stuff, too) but could be patched by uploading a file or two if you just wanted the security protection. This is quite a bit less pain than phpBB admins have had in the same time period, but I don't think one can generalize from this fairly short time span.

I am in a similar boat.

I am trying to deploy this commercial site that requires, more precisely, depends on discussion forums.

I have to find a decent CMS and a decent forum software that will work with the CMS.

Top two players in the industry are phpBB and vBulletin. Do I go with phpBB and hope for the best when it comes to security backups?
Or do I pay for vBulletin and still hope that the support is truly there?

I have read some horror stories on vBulletin's site, about their customer support and how they treat them unprofessionally. This is second hand, so you will have to research it.

Of course, you will find just as many horror stories about phpBB code failing. Expectation of support on the other hand is much lower when it's a "free" package.

So do I drop several hundred dollars, then pay annual fee, and get bad service, possibly bad code, or do I pay nothing and get bad service and possibly bad code?

As far as security is concerned, SecurityFocus BUGTRAQ reports about 40% more vulnerabilities and Advisories for phpBB then to vBulletin. Taking that and then looking at the number of public vBulletin and phpBB pages, phpBB has about 78% more pages. (19,500,000 vBulletin and 92,000,000 for phpBB on google "+vBulletin" and "+phpBB" searches)

So as far as I am concerned they both are as bad or as good (half empty or half full) when it comes to security.

It's a perfect "loose loose" scenario for a webmaster.

do more research there are tons more forums out there to choose from

I just made a site with Mambo CMS and VBulletin.
There is a guy that offer the plugin for integrating both for $10.

I run PHPbb on other site and I like it, but have to do all critical upgrades. But same thing with any other software.

You run windows on your computer and all the time need to upgrade it too.

My problem now is that my PHPbb is very moded, so I can't just run the patch to upgrade it, I have to do changes manually. I can't find them.

"so I can't just run the patch to upgrade"

You can take the patch and read it, do the updates from that, it's kind of a pain, but it's ok.

! means change that line
+ means it's a new addition

Not the best way for sure.

They should do a mod type change document for upgrades when you have a lot of mods, but the patch document has the information you need.

Almost any major application has security holes, and frequent patches to fix it, Windows, Linux, OS X, whatever, it's the nature of the beast. Apparently phpbb 3 is going to be much more secure by design.

Easy to see why Brett wrote his own though.

Yep. I'll stick with phpBB for now. Maybe go to Brett's when he releases it :P

Im afraid of losing all my forum data, by uploading the new version.

Upgrading will not change any of your forum data. All your forum data is stored in a database, separate from the phpBB files. Unless you have installed mods to your forum, you can just overwrite the old files with the new versions, except for config.php. You don't want to overite config.php because it contains your forum configuration.

Elijah's right, cooldoug, but it's a very good idea to backup your forum prior to an upgrade. That will protect you in the event the data would become corrupted following the upgrade.

I'm running phpNuke and they are WAAY behind on phpBB version. I've had to manually go through all the patches line-by-line from 2.0.6 up to make sure I was getting everything right. Still, I'd rather have to do that than ignore the security and get "0wn3rz3d".

the 11 to 12 was definately more of a pain than this one.

On the upgrade from 2.011 ro 2.012 I was able to overwrite all the files except the template files. So to do one forum I:
1) Uploaded and overwrote all the files except in the templates
2) Changed the template files by hand
3) ran update_to_latest.php

It still only takes about 5-10 minutes per forum. The upgrade to 2.013 is literally 2 lines of code. So to upgrade to 2.012 and then 2.013 for 20 forums still took less than 2 hours.

I'd like to echo that all popular software requires patches.

Ok, I wasnt sure if I would lose all my data. Also, I am running it from a free mysql with only 4mb. If I change it to another database, will I lose all the data then?

>>If I change it to another database, will I lose all the data then?

Cooldoug, can you explain what you mean?

cooldoug, backup your database using the built in phpbb database backup utility, then you can save that file to your local machine, then when you move your site you just import it, if it's less than 4 mB, with the phpbb import db utility, or if it's larger, which yours couldn't be, you just do it from the command line.

Exploits have already been found for PHPBB 2.0.13 where you can use HTML even if its switched off by the boards.
Its an LOW threat exploit, but its there.

Ive been with PHPBB since 2.0.0 and I own one of the largest forums of its genre on the internet. So updating all the time really sucks. :S

"So updating all the time really sucks."

The servers running phpBB are being updated all the time too, at least if you use competent hosting, there are security patches released constantly for Linux/Unix type OS's, just like with Windows. Most users just don't see that process. With phpbb you get the joy of actually doing the updates. I just look at it as work, part of the job. It's not that big a deal, even with mods, it's not more than an hour to go from 11 to 13, as work goes, 1 hour in 3 months is not a lot of time.

Run a test forum on your development server, same code, same db, then you can test these fixes safely, once tested, upload and update db / site. That drops the unpredictable level a lot.