Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: rogerd
The client tells me that they had been promptly following all suggested security updates, in part because I'd warned them about a prior series of phpBB hacks.
They're now considering going to another forum package, in part because they've been told that because phpBB is open source, it is inherently insecure. I'm sure this makes for a bigger target for hackers, but are there core security problems with phpBB (or, for that matter, with php itself) that would make such a move advisable?
PS: I realize the v2.0.3 build on this is complete conjecture and possibly a misstatement. I based it on the build of another forum they sent me to that had been hacked. The client has taken its bbs down for the time being.
because phpBB is open source, it is inherently insecure
That is simply untrue, as the current state of Windows security shows: open source means that there can be no "security by obscurity", ie. no hiding of known bugs by the vendor. This means that crackers have easier access to the source code to analyze, but overall the security record of open-source is enviable compared to closed-source.
It is difficult to pinpoint the exact problem here without examining the site and server in question, but you could hypothesize that the phpBB was unpatched or incorrectly patched, or it may also be that the cracker got in using another vector: there have been recent vulnerabilities in PHP itself (prior to 4.3.10) and in the Awstats package, for example. The phpBB site itself was recently hacked in much the same manner, and it was the Awstats vulnerability which was the cause, not any phpBB one.
I posted a thread about phpBB security best practices a few months back which might interest you: [webmasterworld.com...]
phpBB has been through a few rough periods, but the current version is a very solid base for building a forum, with heavily-analysed and tried-and-tested code. You can't be sure that there are no more vulnerabilities, but it remains one of the best choices around for a general-purpose forum package.
The v2.0.3 came from the version number of a site that was hacked by the same hacker. The client has taken its forum down temporarily, so I don't know whether they'd upgraded.
The client is considering another software package based on a recommendation from their developer... and I'm trying to get forearmed for discussions on the matter, because the phpBB installation was spiderable, and the developer is basically a designer, not a programmer. When I find out what that package is, I'll look into it, and I may post further.
If the client is ten versions behind on phpBB...
Please... please... please. I stated above that v2.0.3 was incorrect. I know they had at least v2.0.12, and I'm still trying to determine whether they'd upgraded to 2.0.13, which is considered a "safe" version.
Just shows the power of a title. BestBBS is my favorite board in the world, but I sure wish there were some way I could go back and edit the title and correct the first message.
Anyway, I'm in full agreement about open source... and I'm perhaps gradually I'm bringing the client around... but to do so I had to ask about what others with specific knowledge of phpBB thought about its security, assuming all is upgraded and patched.
The client has gone ahead and purchased UBB, and I'm thinking that keeping it secure will require as much attention as keeping phpBB secure. Anyone have any experience in this that they can share?
Don't forget frequent and secure backups - if the worst happens, you know you can be back in business very quickly.