Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: rogerd
See the announcement here: [phpbb.com...]
...The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible...
You can download it here: [phpbb.com...]
Just wanted to alert you guys,
If you do nothing else, do this (don't post until you've done it!):
if( $sessiondata['autologinid'] == $auto_login_key )
if( $sessiondata['autologinid'] [b]===[/b] $auto_login_key )
It's amazing how much damage a missing equals sign can do.
This is getting beyond a joke, 2.0.13 already?
I'm getting fedup of spending most of my day upgrading the board and reinstalling all my mods.
Luckily these ones are patchable.
I do like the new little warning system in the admin panel though, first thing I did after reading that was come here!
The next version of phpbb (3.0) is designed with many more security features.
Anytime a peice of software gets popular, you can bet people will find exploits.
I am grateful that they are very open and very quick to fix things but I don't expect anything out of them thats not buggy.
Have you actually read the code? Awful stuff.
What about VBulletin, is it safer?
I don't know if it is inherently safer from a design viewpoint, and I don't want to get into the "open source is more/less prone to hacks than commercial software" debate.
vBB has had about three or four security updates in the last six months or so; all were available as upgrades (incorporating other minor stuff, too) but could be patched by uploading a file or two if you just wanted the security protection. This is quite a bit less pain than phpBB admins have had in the same time period, but I don't think one can generalize from this fairly short time span.
I am trying to deploy this commercial site that requires, more precisely, depends on discussion forums.
I have to find a decent CMS and a decent forum software that will work with the CMS.
Top two players in the industry are phpBB and vBulletin. Do I go with phpBB and hope for the best when it comes to security backups?
Or do I pay for vBulletin and still hope that the support is truly there?
I have read some horror stories on vBulletin's site, about their customer support and how they treat them unprofessionally. This is second hand, so you will have to research it.
Of course, you will find just as many horror stories about phpBB code failing. Expectation of support on the other hand is much lower when it's a "free" package.
So do I drop several hundred dollars, then pay annual fee, and get bad service, possibly bad code, or do I pay nothing and get bad service and possibly bad code?
As far as security is concerned, SecurityFocus BUGTRAQ reports about 40% more vulnerabilities and Advisories for phpBB then to vBulletin. Taking that and then looking at the number of public vBulletin and phpBB pages, phpBB has about 78% more pages. (19,500,000 vBulletin and 92,000,000 for phpBB on google "+vBulletin" and "+phpBB" searches)
So as far as I am concerned they both are as bad or as good (half empty or half full) when it comes to security.
It's a perfect "loose loose" scenario for a webmaster.
I run PHPbb on other site and I like it, but have to do all critical upgrades. But same thing with any other software.
You run windows on your computer and all the time need to upgrade it too.
My problem now is that my PHPbb is very moded, so I can't just run the patch to upgrade it, I have to do changes manually. I can't find them.
You can take the patch and read it, do the updates from that, it's kind of a pain, but it's ok.
! means change that line
+ means it's a new addition
Not the best way for sure.
They should do a mod type change document for upgrades when you have a lot of mods, but the patch document has the information you need.
Almost any major application has security holes, and frequent patches to fix it, Windows, Linux, OS X, whatever, it's the nature of the beast. Apparently phpbb 3 is going to be much more secure by design.
Easy to see why Brett wrote his own though.
the 11 to 12 was definately more of a pain than this one.
It still only takes about 5-10 minutes per forum. The upgrade to 2.013 is literally 2 lines of code. So to upgrade to 2.012 and then 2.013 for 20 forums still took less than 2 hours.
I'd like to echo that all popular software requires patches.
The servers running phpBB are being updated all the time too, at least if you use competent hosting, there are security patches released constantly for Linux/Unix type OS's, just like with Windows. Most users just don't see that process. With phpbb you get the joy of actually doing the updates. I just look at it as work, part of the job. It's not that big a deal, even with mods, it's not more than an hour to go from 11 to 13, as work goes, 1 hour in 3 months is not a lot of time.
Run a test forum on your development server, same code, same db, then you can test these fixes safely, once tested, upload and update db / site. That drops the unpredictable level a lot.