...

View Full Version : asnyone know abnout phpbb?



Crake
02-08-2005, 07:58 PM
everyone phpbb.com has been hacked bye a group of hackers. phpbb are trying to find out who bye anyone news then contact them! :thumbsup:

firepages
02-09-2005, 06:03 AM
http://news.netcraft.com/archives/2005/02/08/phpbb_site_cracked_developers_locked_out.html


I read this this morning but jeez I only just stopped laughing and got back on my chair ;)

why is it funny ? (at least to me) , well phpBB team put out a lot of misleading information about the true cause of thier recent vunerability which potentially compromised thousands of domains , they blamed someone else , e.g. PHP.

irony bites , and its gonna sting for a while.

Mhtml
02-09-2005, 06:16 AM
So are you saying it wasn't an awstats vulnerability?

cfc
02-09-2005, 06:36 AM
I think he might have been referring to this: (I got the reference from that article)

http://news.netcraft.com/archives/2004/12/18/php_exploit_enables_theft_of_phpbb_passwords.html

While the problem on that occasion was technically a PHP exploit (assuming the article isn't based entirely on misinformation spread by phpBB), it was IMO really phpBB's responsibility to code for security in the first place.

Mhtml
02-09-2005, 06:41 AM
Ahh I see. That is funny how they just blame php.

brothercake
02-10-2005, 02:28 AM
Doesn't really inspire one to want to use phpBB really ... that's the second major vulnerability in as many months ...

I think I'm gonna write my own - if I do it without databases or GET information, I'll avoid most of the major weak points, right?

Mhtml
02-10-2005, 04:36 AM
Well then how will you store the information? Flat files ala Ubb? Knowing you it'd be some sort of xml file cluster or something.
I was just thinking that perhaps I'd write one soon. I've done it before, I remember I wrote a pretty good one back when I used ASP. It had a good following from these forums but I never released it, it worked on flat files and database. I think someone needs to topple vb off their throne.

[edit:] But I really see no point to avoiding database and Get. At least using Get you can secure that from sql injection and stuff.

firepages
02-10-2005, 05:17 AM
if I do it without databases or GET information, I'll avoid most of the major weak points, right?

No , you can write insecure code with or without a database , its not the database or protocol thats insecure, or in general PHP (or any other serverside language), though vunerabilites will appear from time to time.

Its down to simple secure coding practices , we all write daft code from time to time , collaberative efforts usually produce more secure code since your peers are working with it and hopefully spot major issues.

As seen with phpBB thats not always bulletproof.

firepages
02-10-2005, 05:21 AM
+ I know I have pointed you this way before ... but perhaps look again at FUDforum (http://fud.prohost.org) , its written by one of the major PHP developers , & whilst unusual & uses a mixture of DB & flatfiles I really like it.

brothercake
02-11-2005, 01:36 PM
XML was my plan yeah ... 1 file per thread, plus a bunch of index and admin files. I've already written the scripting for a single comments board, so if I build it up and release it over time, it will be continually phase tested, so most problems will turn up that way.

I know security is never guaranteed with anything, but not being a popular board gives a statistical advantage - less likely to be attacked if fewer people are using the software - at first, anyway ;)

Customising phpBB to be compliant and semantic XHTML took soooo much time, I'm just not prepared to go through all that again, unless it's a really interesting project, which making a new one would be. And I could make sure from the start that the output is robust and proper.

Sorry this is a bit OT .. maybe it needs splitting into a different thread if there's more to say ..?

ronaldb66
02-11-2005, 01:47 PM
... if there's more to say...
Er... yeah!
For instance, how is processing flat files hold up against using a database, performance-wise?
I'm accustomed, due to my mainframe background, to flat file processing beating any other form of storage speed-wise with its hands tied behind its back, but I have no experience with PHP flat file processing on a server environment.

brothercake
02-11-2005, 04:11 PM
It's probably slower, but not hugely - I should think it mostly depends on the size of the files. If each thread is a single XML file, then most threads are not gonna be more than 30 or 40K - except for really long ones. I generally go by 100K being the limit for XML or textfile parsing in PHP, beyond which it gets too slow.

But I'm only speaking from subjective observation here - I couldn't say with any authority .. I wouldn't mind knowing myself :)

Mhtml
02-12-2005, 05:24 AM
Well the only sure fire way is to test it and find out.

firepages
02-12-2005, 07:06 AM
you are spot on about the filesize issue , parsing larger files (100 KB+) in php is not really that efficient (as opposed to PERL or standard unix tools etc).

The major issue with flatfile `anythings` is searching them or querying them , thats where the database comes into its own , e.g you want to display the last $num posts by $user in this $forum , or change the display order quickly , thats where a relational DB comes in handy (yes you can keep XML files with that data and query them but it is too slow (even loading the file for searching is probably slower than the DB query)).

So the ideal system would store posts (either individually or per thread) as flatfiles (XHTML is good since then you save the parsing on redisplay) but administer them in a DB for faster reference.

FUD sort of does this , BUT it stores the messages in 1 big flatfile , which is not as inefficient as it sounds since for reading the it uses fseek etc to read only the data it requires.
This solves the issue with fopen()or including() say 20 XML files for display .. since fopen is the slow bit of the process the FUD system works with 1 file pointer only.
Of course 1 big file could be a nightmare to administer for topic edits and pruning etc.

I (as you have probably worked out;) ) realy like the general FUD architecture.
However it does have many issues and is an absolute pain in the butt to try and hack , the permissions system is great but far too complex & the whole permissions/authentication is mind bogglingly complex both in design and implementation.

Brothercake , if you ever feel like a collaberative project .. best of both worlds etc drop me a line.

brothercake
02-12-2005, 07:55 AM
Brothercake , if you ever feel like a collaberative project .. best of both worlds etc drop me a line.
Oh yes indeedy :) I've mentally commited myself to doing this now ... it's time to rock and/or roll :D

Lemme research and play with some ideas for a bit, and I'll be in touch :thumbsup:

Mhtml
02-12-2005, 08:05 AM
lol. In the garden of eden, by i-ron butterfly. I definitely would like to see what progress you make on this. You should set it up on your server so I can see it evolve, or perhaps fall on it's face.

brothercake
02-12-2005, 12:34 PM
or perhaps fall on it's face.
oh ye of little faith ... this is me you're talking to http://www.listulike.com/images/icon_favicon.gif

Crake
02-12-2005, 07:26 PM
it looks as if phppbb are back up.

Mhtml
02-13-2005, 02:50 AM
oh ye of little faith ... this is me you're talking to http://www.listulike.com/images/icon_favicon.gif
Hehe, yeah well there are two sides to every coin (well not strictly true, that saying is flawed! But you get the idea!). We will see.

You'll just have to prove that I am wrong to make such a proposal in this case...I dare you. ;) (Yeah I dunno what I'm talking about either, big night)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum