KHC Solutions


 
ForumPortaliPytėsoriRegjistrohuidentifikimi

Share | 
 

 Security of PHPBB?

Shiko temėn e mėparshme Shiko temėn pasuese Shko poshtė 
AutoriMesazh




Registration date : 01/01/1970

MesazhTitulli: Security of PHPBB?   Sat Nov 01, 2008 9:09 pm

In December 2004, a large number of Web sites were defaced by the [[Santy]] worm, which used vulnerabilities in outdated versions of phpBB2 to overwrite PHP and HTML pages.http://www.phpbb.com/community/viewtopic.php?f=14&t=248046 phpBB team response to Santy worm Although these were the result of outdated versions of PHP and phpBB, incidents like these have caused the security of phpBB to be disputed. There have also been a few times where new releases of phpBB have come out a few days apart, although the last occurrence of this was in early 2005.http://www.phpbb.com/community/viewtopic.php?f=14&t=267563 phpBB 2.0.13 release announcement However, the phpBB Team usually responds to security reports as soon as possible, and releases a new version quickly. The phpBB Group has also learned from a series of security issues, and phpBB 2.0.18 was released following a codebase security audit.http://www.phpbb.com/community/viewtopic.php?f=14&t=336756 phpBB 2.0.18 release announcement The phpBB 3.0.x codebase has also received a security audit, which resulted in the release of phpBB 3.0 RC6.http://www.phpbb.com/community/viewtopic.php?f=14&t=584826 phpBB 3.0 RC6 release announcement

Additionally, many things have been changed in phpBB2 to avoid problems in the future, including many features backported from the phpBB3 codebase. Among those are a re-authentication system for the administration panel (introduced after a cookie verification issue allowed attackers to gain administrator accesshttp://www.phpbb.com/community/viewtopic.php?f=14&t=292017 Explanation of changes in phpBB 2.0.15), a visual confirmation system ([[CAPTCHA]]) to prevent bots from registering, as well as the substitution of the highlighting code, which was the cause for critical vulnerabilities in phpBB 2.0.10 and 2.0.15. In order to keep boards as secure as possible, administrators are urged by the teams to keep their board updated to the latest version.

In November 2005, the phpBB Group announced a new Incident Investigation Team (IIT), a sub-team of their Support Team, which is responsible for assisting users in the cleanup and repair of an attacked phpBB installation and investigating reports of new exploits.[http://www.phpbb.com/community/viewtopic.php?t=343745 Announcing the Incident Investigation Team] from the phpBB.com community forums The team announced a tracker the following January where administrators of attacked bulletin boards could report an attack and receive support from the IIT.http://www.phpbb.com/incidents/

The CAPTCHA system in phpBB2 has proven vulnerable to automated registrations, with numerous phpBB-based forums being swamped by spam registrations. Due to the feature freeze, the antispam solutions have to be installed separately. The phpBB team has published recommendationshttp://www.phpbb.com/community/viewtopic.php?f=1&t=427852 Preventing SPAM - Bots and Humans on protecting the boards from spam. At the moment, the best method is to use a question-answer challenge, implemented by Textual Confirmation or Registration Auth Code MODs.{{Fact|date=March 2008}} phpBB3 has a much stronger CAPTCHA system, however during the phpBB3 development/beta phase it was frequently criticised for being difficult to read.[http://area51.phpbb.com/phpBB/viewtopic.php?f=4&t=24350 Captchas and Human Readability] The development team, however, has been working on improving its readability prior to phpBB3's final release.

phpBB3 has enjoyed additional attention from the teams in the area of security, and was completely rewritten to have a more secure code base than phpBB2. The phpBB3 codebase received an external [[security audit]] in September 2007, which was done by [http://www.sektioneins.de/ SektionEins]. The sixth release candidate of phpBB3 was published following the results of the security audit. Additionally, the teams have announced that each minor release of phpBB3 (3.0.1, 3.0.2, etc.) will be preceded by individual release candidates in an effort to prevent instances where subsequent releases would be only days apart (as happened a couple of times during the 2.0.x line).[http://www.phpbb.com/community/viewtopic.php?f=14&t=853775 phpBB • View topic - Release Candidates for minor 3.0.x versions]
Mbrapsht nė krye Shko poshtė
Shiko profilin e anėtarit
 
Security of PHPBB?
Shiko temėn e mėparshme Shiko temėn pasuese Mbrapsht nė krye 
Faqja 1 e 1

Drejtat e ktij Forumit:Ju nuk mund ti pėrgjigjeni temave tė kėtij forumi
KHC Solutions :: Tutoriale Anglisht-
Kėrce tek: