View Full Version : asnyone know abnout phpbb?

02-08-2005, 07:58 PM
everyone phpbb.com has been hacked bye a group of hackers. phpbb are trying to find out who bye anyone news then contact them! :thumbsup:

02-09-2005, 06:03 AM

I read this this morning but jeez I only just stopped laughing and got back on my chair ;)

why is it funny ? (at least to me) , well phpBB team put out a lot of misleading information about the true cause of thier recent vunerability which potentially compromised thousands of domains , they blamed someone else , e.g. PHP.

irony bites , and its gonna sting for a while.

02-09-2005, 06:16 AM
So are you saying it wasn't an awstats vulnerability?

02-09-2005, 06:36 AM
I think he might have been referring to this: (I got the reference from that article)


While the problem on that occasion was technically a PHP exploit (assuming the article isn't based entirely on misinformation spread by phpBB), it was IMO really phpBB's responsibility to code for security in the first place.

02-09-2005, 06:41 AM
Ahh I see. That is funny how they just blame php.

02-10-2005, 02:28 AM
Doesn't really inspire one to want to use phpBB really ... that's the second major vulnerability in as many months ...

I think I'm gonna write my own - if I do it without databases or GET information, I'll avoid most of the major weak points, right?

02-10-2005, 04:36 AM
Well then how will you store the information? Flat files ala Ubb? Knowing you it'd be some sort of xml file cluster or something.
I was just thinking that perhaps I'd write one soon. I've done it before, I remember I wrote a pretty good one back when I used ASP. It had a good following from these forums but I never released it, it worked on flat files and database. I think someone needs to topple vb off their throne.

[edit:] But I really see no point to avoiding database and Get. At least using Get you can secure that from sql injection and stuff.

02-10-2005, 05:17 AM
if I do it without databases or GET information, I'll avoid most of the major weak points, right?

No , you can write insecure code with or without a database , its not the database or protocol thats insecure, or in general PHP (or any other serverside language), though vunerabilites will appear from time to time.

Its down to simple secure coding practices , we all write daft code from time to time , collaberative efforts usually produce more secure code since your peers are working with it and hopefully spot major issues.

As seen with phpBB thats not always bulletproof.

02-10-2005, 05:21 AM
+ I know I have pointed you this way before ... but perhaps look again at FUDforum (http://fud.prohost.org) , its written by one of the major PHP developers , & whilst unusual & uses a mixture of DB & flatfiles I really like it.

02-11-2005, 01:36 PM
XML was my plan yeah ... 1 file per thread, plus a bunch of index and admin files. I've already written the scripting for a single comments board, so if I build it up and release it over time, it will be continually phase tested, so most problems will turn up that way.

I know security is never guaranteed with anything, but not being a popular board gives a statistical advantage - less likely to be attacked if fewer people are using the software - at first, anyway ;)

Customising phpBB to be compliant and semantic XHTML took soooo much time, I'm just not prepared to go through all that again, unless it's a really interesting project, which making a new one would be. And I could make sure from the start that the output is robust and proper.

Sorry this is a bit OT .. maybe it needs splitting into a different thread if there's more to say ..?

02-11-2005, 01:47 PM
... if there's more to say...
Er... yeah!
For instance, how is processing flat files hold up against using a database, performance-wise?
I'm accustomed, due to my mainframe background, to flat file processing beating any other form of storage speed-wise with its hands tied behind its back, but I have no experience with PHP flat file processing on a server environment.

02-11-2005, 04:11 PM
It's probably slower, but not hugely - I should think it mostly depends on the size of the files. If each thread is a single XML file, then most threads are not gonna be more than 30 or 40K - except for really long ones. I generally go by 100K being the limit for XML or textfile parsing in PHP, beyond which it gets too slow.

But I'm only speaking from subjective observation here - I couldn't say with any authority .. I wouldn't mind knowing myself :)

02-12-2005, 05:24 AM
Well the only sure fire way is to test it and find out.

02-12-2005, 07:06 AM
you are spot on about the filesize issue , parsing larger files (100 KB+) in php is not really that efficient (as opposed to PERL or standard unix tools etc).

The major issue with flatfile `anythings` is searching them or querying them , thats where the database comes into its own , e.g you want to display the last $num posts by $user in this $forum , or change the display order quickly , thats where a relational DB comes in handy (yes you can keep XML files with that data and query them but it is too slow (even loading the file for searching is probably slower than the DB query)).

So the ideal system would store posts (either individually or per thread) as flatfiles (XHTML is good since then you save the parsing on redisplay) but administer them in a DB for faster reference.

FUD sort of does this , BUT it stores the messages in 1 big flatfile , which is not as inefficient as it sounds since for reading the it uses fseek etc to read only the data it requires.
This solves the issue with fopen()or including() say 20 XML files for display .. since fopen is the slow bit of the process the FUD system works with 1 file pointer only.
Of course 1 big file could be a nightmare to administer for topic edits and pruning etc.

I (as you have probably worked out;) ) realy like the general FUD architecture.
However it does have many issues and is an absolute pain in the butt to try and hack , the permissions system is great but far too complex & the whole permissions/authentication is mind bogglingly complex both in design and implementation.

Brothercake , if you ever feel like a collaberative project .. best of both worlds etc drop me a line.

02-12-2005, 07:55 AM
Brothercake , if you ever feel like a collaberative project .. best of both worlds etc drop me a line.
Oh yes indeedy :) I've mentally commited myself to doing this now ... it's time to rock and/or roll :D

Lemme research and play with some ideas for a bit, and I'll be in touch :thumbsup:

02-12-2005, 08:05 AM
lol. In the garden of eden, by i-ron butterfly. I definitely would like to see what progress you make on this. You should set it up on your server so I can see it evolve, or perhaps fall on it's face.

02-12-2005, 12:34 PM
or perhaps fall on it's face.
oh ye of little faith ... this is me you're talking to http://www.listulike.com/images/icon_favicon.gif

02-12-2005, 07:26 PM
it looks as if phppbb are back up.

02-13-2005, 02:50 AM
oh ye of little faith ... this is me you're talking to http://www.listulike.com/images/icon_favicon.gif
Hehe, yeah well there are two sides to every coin (well not strictly true, that saying is flawed! But you get the idea!). We will see.

You'll just have to prove that I am wrong to make such a proposal in this case...I dare you. ;) (Yeah I dunno what I'm talking about either, big night)