Is phpBB easy to hack?

There is a level of "hackability" with any open-source software, as anyone has access to the full source code, and therefore the ability to find flaws and loopholes in it. I wouldn't go so far to say that phpBB is not safe though - the development team keeps pretty current and addresses security holes fairly quickly. As you could imagine though, phpBB isn't as secure as forum software such as vBulletin, which has a $160 pricetag associated with it, therefore making it harder for hackers to obtain the code. In addition, due to the pricetag, the developers seem to have more of an obligation to address bugs quicker than phpBB developers, who are not monetarily compensated.

thank's for your explaination. that was quick!!! amazing!!!

Well, your correct Dani, but a new thing to the phpBB is that phpBB 2.0.11 has just been released, which fixes a major security exploit and cures a SQL Injection for changing usernames. Another thing is that phpBB 2.2 is going to be more stable and will be dynamically a more secure forum software. It will also be compatible to changing file permissions so they are not viewable and such. Whatever it is, its going to be good. Also, 2.0.11 also now officially has an implemented Robot Registration Flood mod, which needs a confirmation code to register, a bit more secure. Overall, I love phpBB, but vBulletin is my choice for security, 'eh atleast for now. :D

I happen to like integramod quite well. It seems much more professional and secure than phpbb and it has many more features. Takes a bit of getting used to but is nice. I've got it running on my site (for about 7 days now) if you'd like to see it in action:

http://linuxportal.sytes.net

Basically, what IntegraMod is, is a phpBB installation that has a bunch of popular mods/hacks installed to it, so that you don't have to go hack extra features (such as those available at phpbbhacks.com) into it manually. Nevertheless, it's phpBB :)

Yes, it is phpBB basically, just with some added features. IntegraMod is basically like FullyModded phpBB, I forget, I think that's the name. So, basically it is phpBB, just with some added hacks and other security features. In my opinion when it comes down to it, IntegraMod is still at an even level, because with all the mods on there, it may not be secure much. You may also prove me wrong. Like Dani said, its phpBB nevertheless.

Technically speaking no forum software is hundred percent secure, new exploits are always discovered by hackers and are exploited quite alot before the developers fix it. I dont agree with csgal on one thing when she says VB code is difficult for hackers to obtain because pirated copies of VB are found all over the web. A simple search on google and you can get it. At the end of the day its the development that counts, VB and IPB are rapidly developing softwares thus security holes are sealed over and over as compared to open source like phpbb which hasnt really been developed much.

phpBB 2.0.11 was just released some time ago and fixes a secure exploit, but like the saying goes, once one thing is corrected, another problem is opened. You have to relize, these forum softwares say that they are secure, but when an exploit or something is fixed, another exploit or problem is started but not yet known. All forum softwares would agree.

Look like we had to upgrade phpbb again. :)

Yes, it works nicely though. ;-)

Hi. I'm new to this board (this is my first post). Here's my question:

I'm running a phpbb2.0.11 board on XP SP2 using apache 2.0.52, php 5.0.3 and mysql 4.0.19. Each of the forums on the board is 'private', and I have three groups of users: group A is granted access to everything, group B is granted access only to some of the forums and group C is granted no special access to anything (it is used so that I can send emails to a subset of the users).

I recently moved a particular user from group A to group B and that user has now told me that she is in fact able to view all of the forums even though she is in the restricted group (she remains in group C as well but that group has no special access rights to anything).

She says that the way she figured out to gain access to the forums she is not supposed to have rights to read was 'simple'.

I'm assuming she did not get a username and password from any user in the other group. Any ideas about what a 'simple' way would be for a user to gain access to a private phpbb forum when she is not in a group that has been granted access and has not seperately been granted access as a user? (I checked the DB tables and in fact she is only in the restricted group and no permissions ahve been changed.)

I know it is possible to crack this stuff through brute strength (particularly since we do not require difficult passwords), but since she said what she did was 'simple' I am guessing that is not what she did.

Any ideas?

Aha!

The user in question has told me exactly what she did to gain entrance: she simply clicked on the link that appears in one of the old topic reply notifications she received a while ago (which she received when she had access to the forum in question) and that takes her right to the topic where she can scroll up or down. But that strikes me as odd, since when I try to sign in as a user without access to a certain forum and then click to a link to a post in that forum, I am properly told there is no such post or topic.

Here's an idea: is it possible that she is only seeing a cached picture of the page she had looked at before (when she originally had received the topic reply notification and clicked the link)? I can't seem to reproduce that with my browser (firefox), but is that a possibility?

Here's the step by step:

1. She has access to Forum X and gets a reply notification email.

2. She clicks the link in the email and looks at the page. Would the browser typically save that in cache??

3. I move her out of the group that has access to Forum X.

4. She goes to that old reply notification email and clicks the link on it.

5. The browser shows her the cached page rather than trying to actually get a new page (since presumably if it tried to get a new page she would get a 'no topiic exists' message).

Like I said, i can't reproduce this on my opwn browser, but does it makes sense and is it the most likely explanation? How does a browser know when to get a new page with a particular address versus when to show a cached page?

Hmm, I would have to say that both partners are right. I love phpBB with a passion as well as vB. To me, both are easy to hackup and customize it as I have before. You can check out my forums at www.mdevonline.com and see for yourself. My forums isent just a phpBB. Its integrated into phpnuke but thats standard right? So get this, I made it more then just a phpBB, my News Mod for nuke itself is running from the phpBB forums and displaying jus like a regular news on teh front page. Neat hu? Yea, you can do the same and it is ratherly easier then vb I think, but again Its easy for me to do both. But if your getting into it and just kinda curious about it? Dani is correct.[img]http://daniweb.com/techtalkforums/techtalk-images/smilies/fiyellow/icon_mrgreen.gif[/img]

Its all in what you want.

phpbb is free. Thats a big plus.

vb costs money. ($80 a year to lease...)

Yea, ones going to be a little more secure because its updated a little faster.

The only way to have a secure forum is once you have it up and running on a webserver, remove the ethernet cable from the back of the machine and leave it alone ;)

I am a web host, and we had a lot of end user phpbb boards get hacked last month. Not only did the board get hacked but every .php and .html file in the users webspace was defaced. If you keeep the script up to date and have backups it should be ok.

I have phpbb 2.0.11 is it? I get confused.
I got the q8 hacker thingy.. I supose it has to do with the attachment files I don't know.
But didn't do any damage.
I guess it is part of being on the web.. some people don't have anything better to do... sad ain't it?

I like PHPBB but the help is lacking since of course it is free.
VB is ok too, but try to get an answer to a specific question is kind of hard... everyone is so wishy washy as far as giving a direct answer..... nothing more frustrating that searching for hours.. finally posting a message and being told.
You can find a hack here GIVE ADDRESS and it is another forum you have to search all over again! ARRRG.... granted I spend a lot of time looking before I ask, but enough is enough! LOL!

2.0.11 is the corrent version, but by now you may already be somewhat protected at the server level, but at any rate that is the latest patched version.

Yea, 2.0.11 is the latest and greatest....

2.0.11 is the stable and best, but 3.0.0 is supposed to be better.

actually, I like the flash-php integration for bulletin boards. Have you seen it? it awesome!

In my opinion phpBB is the easiest of the boards to hack. Then again I am used to editing scripts using a CLI opposed to via a web-based interface.

i've heard rumors said that phpbb is not safe and it's easy to hack?

me too. my friend killed mine cuz he was mad at me...

phpBB is pretty much just as safe as any other board.

The only thing I'll complain about is the slow development of 2.1.x. But then, they have recently made some changes in the development team leadership, as Paul (psotfx) has stepped down...

i heard alot of bad things about phpbb, but i'm sure there working on it [ they just a bit slow on updating ]. one thing that i dont like about them is the lack of support for php 5 :eek:

i've heard rumors said that phpbb is not safe and it's easy to hack?

Yes, very easy to hack. I know a guy who actually made a tutorial on how to hack it, very easy. I hold the document on how to hack any phpBB forum. Ha ha! I've only hacked one, for fun, but didn't really mess around. I just wanted to prove to my friend I could do it! Even though theres nothing to prove because of its simplicity.

Yes, very easy to hack. I know a guy who actually made a tutorial on how to hack it, very easy. I hold the document on how to hack any phpBB forum. Ha ha! I've only hacked one, for fun, but didn't really mess around. I just wanted to prove to my friend I could do it! Even though theres nothing to prove because of its simplicity.

I know im late, but does anyone know where I can get a tutorial, Im trying to fiddle with my board.

we have had 2 phpbb forums hacked in the past 2 years so i would say it is easy

Please give me the tutorial

i heard alot of bad things about phpbb, but i'm sure there working on it [ they just a bit slow on updating ]. one thing that i dont like about them is the lack of support for php 5 :eek:

But then again, when was the last time you saw a web host with PHP5?