Jump to content



Welcome to AstaHost - Dear Guest , Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply w/o Sign-Up!

Toggle shoutbox Shoutbox Open the Shoutbox in a popup

@  yordan : (14 April 2014 - 05:28 PM) By The Way, This Could Be An Interesting Subject For A Topic, What About Posting This Question? Let's See If Other People Have The Same Feeling Concerning Bootlists!
@  yordan : (13 April 2014 - 09:36 AM) Boot Order : Cd, [Usb,] Hard Drive :D
@  yordan : (11 April 2014 - 07:23 PM) I Simply Let The Bios Do That
@  Ritesh : (11 April 2014 - 10:23 AM) Is It Possible To Launch Fedora Live Cd Or Installation Disk From Hard Drive On Windows Platform Using Grub Mbr File.
@  Ritesh : (11 April 2014 - 10:21 AM) No U Are Not.. Btw.. I Have Question For You.
@  yordan : (10 April 2014 - 08:02 AM) You Are Partially Right.
I Was Not.
Nevertheless, I Am Again :)
@  Ritesh : (09 April 2014 - 07:33 PM) :P
@  Ritesh : (09 April 2014 - 07:33 PM) I Think U R Not..
@  yordan : (09 April 2014 - 09:28 AM) I'm The Master Of The Shoutbox!
@  yordan : (05 April 2014 - 10:32 PM) He-He
@  Ritesh : (04 April 2014 - 06:59 PM) Ha Ha Ha ....
@  yordan : (04 April 2014 - 11:15 AM) Welcome Back, Starscream!
@  yordan : (03 April 2014 - 02:31 PM) And I Hope That He Will Come Back Soon :)
@  yordan : (01 April 2014 - 02:53 PM) Nice, Ritesh Came, I'm Not Home Alone Today.
@  Ritesh : (01 April 2014 - 08:51 AM) Oh!!! Poor Dear Yordan..
@  yordan : (31 March 2014 - 10:02 AM) I'm A Poor Lonesome Cow-Boy
@  yordan : (27 March 2014 - 02:22 PM) He Is Unpatient Due To His Patients!
@  Ritesh : (27 March 2014 - 10:46 AM) :(
@  Ritesh : (27 March 2014 - 10:46 AM) He Is Busy With His Patients.
@  yordan : (26 March 2014 - 08:12 PM) Ahsani, Where Are You?

Photo
- - - - -

Avoid Phpbb! New Security Exploit!


20 replies to this topic

#1 nightfox

nightfox

    NiGHTFoX - Hiding in the dark

  • Members
  • 680 posts

Posted 22 September 2006 - 03:15 AM

I sure have learned my lesson of using phpBB on a site of mine that gets many hits. Apparently, the attacker used a SQL injection (my password is 7 characters and is VERY hard to crack) to gain admin access and deleted everything then left his mark.

I don't even know WHY phpBB is allowed to exist and WHY it's so popular... I'm NEVER going to use it again!

Keep away from it!

[N]F

#2 pyost

pyost

    Way Out Of Control - You need a life :)

  • Members
  • 1,090 posts
  • Gender:Male
  • Location:Vancouver, British Columbia
  • myCENTs:67.69

Posted 22 September 2006 - 12:04 PM

:) Nothing new on the horizon, unfortunatelly. It is well-known that phpBB is the BBS with most security issues. And with hundreds of cracking tutorials on-line, even a kid could get into phpBB. On the other hand, it would be hard, even for a pro, to crack SMF. In my opinion, it is the best free BBS when it comes to security. It might not be as good-looking and customizable (the number of mods) as phpBB, but it sure is more secure.

#3 Mafamba Team

Mafamba Team

    Advanced Member

  • Members
  • 127 posts

Posted 23 September 2006 - 11:09 AM

I don't fully understand.

Anyway if you're talking about a phpBB forum, there's no point you should use proboards.

#4 FunDa

FunDa

    Newbie [ Level 1 ]

  • Members
  • 6 posts

Posted 23 September 2006 - 02:03 PM

Isn't there any way to prevent these SQL injection attacks ?

BTW, what is an SQL injection attack ?

I'm using phpBB for my site and I loved the customizability. SMF seemed a little harder to use ( for me at least )

Isn't there any way we can make phpBB safer ???

#5 Niru

Niru

    Advanced Member

  • Members
  • 193 posts
  • Gender:Male
  • Location:FunLokam.Com
  • Interests:Painting, Drawing, Web Designing, Animation
  • myCENTs:27.54

Posted 23 September 2006 - 04:07 PM

Hope, the phpBB team will come up with a solution to avoid these SQL injection attacks!
I'm also using phpbb for my forum!
like it very much as it is the simplest forum and easy to maintain than any other bullettin boards!
I like the simple interface also! :)

BTW, what is an SQL injection attack ?


SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.


You can see more about that here, here and also here

How to avoid SQL Injection >> Read it here & here

Edited by pyost, 23 September 2006 - 09:25 PM.


#6 Opethian

Opethian

    Member [ Level 1 ]

  • Members
  • 48 posts
  • Location:Salisbury

Posted 23 September 2006 - 04:26 PM

This is very alarming.

I've been deciding which setup to go to and this must be the third instance I've heard about phpBB getting SQL injhected (if that's a term being used now).

So I guess I'm left with SMF then. Is there any other free forum out there that's noteworthy that anyone here can recommend?

#7 Guest_jlhaslip_*

Guest_jlhaslip_*
  • Guests

Posted 24 September 2006 - 06:10 AM

Try phorum.org.

It is used as a forum by Larry Ullman, an author of php and mysql books, so I suspect that it is rather secure. Also, this was posted on the phorum site Main page, which leads me to think it just might be secure:

* There is no shortage of message boards that use MySQL. When the webmasters at mysql.com went looking for one to install, they chose Phorum.



#8 Mark420

Mark420

    The Modernator

  • Members
  • 486 posts
  • Gender:Male
  • Location:The Interweb!

Posted 24 September 2006 - 08:11 AM

Bad luck Nightfox...I feel for you..must have been terrible to login and find your board contents gone ;((

Did you have a backup in anyway?

#9 Quatrux

Quatrux

    the Q

  • [HOSTED]
  • 1,669 posts
  • Gender:Male
  • Location:Lithuania, Vilnius
  • Interests:PHP, MySQL, Oracle, PL/SQL, HTML, CSS, Javascript, jQuery, C# Computers, Alternative OS, Amiga, MorphOS, Beer, Friends, Linux, KDE..
  • myCENTs:30.76

Posted 24 September 2006 - 10:11 AM

Because phpbb is so popular for a long time now, a lot of whom know the source code and know how it works, so if you know how it works, you can always mess it up, don't you? Eventually, I read that SMF is much more secure to exploits and sql injections, because it is coded differently than phpbb, but people who is used to use phpbb - they have difficulties of moving to other forums such as SMF or don't have enough income to buy IPB or vBulletin.. They defend phpbb and say that those sites which get successful attacks didn't configure it the way it needs to be configured + the server configuration is bad and etc. It would be best to create your own forum system, but it just takes time and why waste the time if somebody else wrote it? :)

There are more forum software written but not so popular, so they might be more secure, but with less features and modifications + skins. I myself wanted to use phpbb, but as it is so vulnerable to exploits, I never did it, but I think I will use Phorum, which is available for a long time, but new versions are available now and I hope it will suit my needs.. I just need a very customizable forum software written in php which would work with mysql database.

#10 HM-BRazil Owner

HM-BRazil Owner

    Newbie [ Level 1 ]

  • Members
  • 7 posts

Posted 28 January 2007 - 05:03 AM

oh ****! I ever used phpBB ... * gulp* well ... then i'll use phpbb 3 ; it's much more secure! ;)

BTW i don't like smf , don't have money for IPB or VB... :/

#11 richie

richie

    Member - Active Contributor

  • Members
  • 98 posts

Posted 28 January 2007 - 07:13 AM

Phpbb is a very good forum with its lot of moda ehich i love to use,but these sql injection are increasing ,i have heard many webmasters facing the same problem ,the phpbb team has to do something about it,its really stupid that the most famous forum software is the one with the most security holes .
but again its like ie ,the more famous,the more hackers try to find security holes in it.

#12 mnur183

mnur183

    Newbie [ Level 1 ]

  • Members
  • 5 posts

Posted 24 April 2007 - 07:29 AM

owwhh....i was wondering to used phpbb...is it really that this script so easy to stole...... can anyone give me a script that really safe for my new coming forum...:ph34r:)

#13 WeaponX

WeaponX

    Way Out Of Control - You need a life :)

  • Members
  • 1,086 posts
  • Location:New York
  • myCENTs:86.41

Posted 24 April 2007 - 12:46 PM

owwhh....i was wondering to used phpbb...is it really that this script so easy to stole...... can anyone give me a script that really safe for my new coming forum...:ph34r:)

It's not about the script being stolen or anything like that, it's about being exploited due to the security holes it has. The developers at phpBB need to patch up these exploits as quickly as they can. The last time I read up about this, they weren't quick on their part...so I guess many had problems already.

If you want a "good" forum, try out Simple Machines Forum at:

http://www.simplemachines.org

They usually patch up the security holes very quickly...sometimes even before it's known to the public (lots of forum testers :)).

#14 HellFire121

HellFire121

    Premium Member

  • [HOSTED]
  • 438 posts

Posted 25 April 2007 - 11:47 AM

I've always stood away from phpBB, even its lightweight feature list is enough for me.
All the sites you see that have been hacked have most likely used phpBB, there are quite a few alternatives and i'd say any of them would be better than phpBB.

You can go here: http://www.opensourcecms.com and check out the forum demos on the site.

-HellFire

#15 ethergeek

ethergeek

    Premium Member

  • [HOSTED]
  • 393 posts
  • Gender:Male
  • Location:Tucson, AZ

Posted 27 April 2007 - 09:44 PM

I just recently switched my forums from phpbb3 to the latest SMF. I didn't have many posts on it anyway, so I figured I'd try it out. Everyone I've asked ranks SMF 3rd behind vB and IPB, so I figured it was worth a shot.

Anyway, I'm having fun with SMF so far; everything is easier with it, and there's alot of features that work out of the box with SMF that I have to spend a few hours modding phpbb to get. I may try phpbb3 again when there are some decent mods out for it, but until then, I'm sticking with SMF.

#16 lifetalk

lifetalk

    Newbie [ Level 2 ]

  • Members
  • 20 posts

Posted 09 June 2007 - 02:05 PM

I've been thru a similar situation. Basically, i guess the hacker managed to get into my hosting account. Messed with my SQL database, and then, each time i loaded the forum, it redirected to his page where he left his mark. Sad.

I've learnt my lesson too. And now, i use vBulletin, far more secure. Way secure! B)

#17 diyar

diyar

    Newbie [ Level 2 ]

  • Members
  • 10 posts

Posted 12 June 2007 - 11:48 PM

It Happened to me as well <_< My phpbb forum site was hacked too!! I believe the security problem is sorted out in phpbb 3!!!

I would recommend people to avoid using phpbb 2 as well!!!

Regards

#18 tyƒoon™

tyƒoon™

    Member [ Level 1 ]

  • Members
  • 31 posts

Posted 13 June 2007 - 12:01 AM

So can you still do that same hack on phpBB3 or not?

i'm kinda dubble sided as to what software i should use for my new forums. I have both experiences with phpBB and SMF. I was considering phpBB3 now so my new forums. Does anyone want to back phpBB3 or still reccomend me to go for SMF?

#19 diyar

diyar

    Newbie [ Level 2 ]

  • Members
  • 10 posts

Posted 13 June 2007 - 12:07 AM

I would recommend you to stay with SMF because hardly anyone is using PhpBB 3 and we dont know if it has any security issues but i'm sure its going to be much safer than PhpBB2!!

I'll say stick with SMF <_<

#20 WeaponX

WeaponX

    Way Out Of Control - You need a life :)

  • Members
  • 1,086 posts
  • Location:New York
  • myCENTs:86.41

Posted 13 June 2007 - 01:24 AM

The problem with phpBB is that they sort of have a bad reputation for keeping up to date with their security issues....at least from what I read from other phpBB users. SMF is usually really quick on the trigger and the patches are deployed and installed usually with just two clicks or so.



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users