phpBB security update

**allendick** · 02-21-2005 10:15 PM

I got both the patch and the changed files with no problem earlier today.

allen

**allendick** · 02-21-2005 10:37 PM

Actually for 2.0.11 to 2.0.12, it appears that there are only 14 files -- 66,900 bytes -- in various directories to over-write. I'm upgrading now, as soon as I finish a backup.

The instructions say "As for the other upgrade procedures you should run install/update_to_latest.php after you have finished updating the files. This will update your database schema and data (if appropriate) and increment the version number."

I see no install directory in the kit, and, of course I blew away the old one after the last upgrade. I wonder if they left it out and the upgrade is incomplete?

I should know shortly.

allen

**allendick** · 02-21-2005 10:41 PM

Well, my board still runs, but does not display the version at the bottom.

Now for the next one...

allen

**cmyksteve** · 02-22-2005 12:04 AM

Originally Posted by allendick

Well, my board still runs, but does not display the version at the bottom.

Reading on the phpBB forum, that's one of the changes. Seems the Santy worm keyed on that to find vulnerable boards.

At midnight, the SourceForge downloads interface is still broken. There's some kind of redirect that's screwing up the downloads. So as of Monday midnight anyway- clicking these links won't work. But pasting them into your browser will deliver the files.

Originally Posted by aam in phpbb.com's forum

**allendick** · 02-22-2005 12:16 AM

Yup, that worked, so I downloaded again, since the admin panel complained in red type that I was running an old version, even after the upgrade.

Same files, though, as far as I can tell. Still no 'install' directory or file to run to complete the upgrade.

allen

**cmyksteve** · 02-22-2005 01:24 AM

Originally Posted by allendick

Same files, though, as far as I can tell. Still no 'install' directory or file to run to complete the upgrade.

allen

Allen-

I did get to run install/update_to_latest.php with the Changed Files package I downloaded. There were four folders already "unstuffed" (see the screen shot) before I opened the 2.0.11_to_2.0.12.tar archive.

So in addition to "the contents" of the folders in the 2.0.11_to_2.0.12.tar archive, I also uploaded the one file from inside the cache folder and the whole folders install and contrib. Then ran install/update_to_latest.php I was then locked out of my board until I deleted those directories again.

My Fantastico doesn't show any phpBB2 installed in that account. I'm assuming that's because I didn't use Fantastico to create that board.

Steve

**allendick** · 02-22-2005 02:10 AM

Okay, thanks. That solved my problem. I was not unzipping the outer archive before unzipping the inner archive, and this did not see the other folders.

Seems all is well, now.

allen

**cmyksteve** · 02-22-2005 02:15 AM

The next board I updated from 2.0.11 to 2.0.12 went well also. Here's a screen shot after I ran
Code:

http://mydomain.com/install/update_to_latest.php

In this account, Fantastico shows the version number when I first installed the board. The board's been updated several times since (without using Fantastico) and those version changes didn't register with Fantastico.

**allendick** · 02-22-2005 02:25 AM

Yup. Just finished all mine.

FWIW, I notice that mine says 'mysql14', not just 'mysql', as in yours. Otherwise, it is the same.

allen

**cmyksteve** · 02-22-2005 02:28 AM

I just checked at phpbb.com and can now get the updates through their regular SourceForge channels.
Downloads page for 2.0.12 updates is working again.

**cmyksteve** · 02-27-2005 09:48 PM

phpBB has another update- labeled Critical. Here's the info behind the update phpBB Announcement

Here's their link for the files you'll need to keep your forum safe from attack. phpBB 2.0.13

**allendick** · 02-27-2005 10:39 PM

Thanks for that. I've done one. Three more to go.

Hey! I'm getting pretty good at this!

allen

**stratplan** · 02-28-2005 05:50 AM

Originally Posted by allendick

Hey! I'm getting pretty good at this!
allen

Wish I was! I wiped out an installation of Mambo with an update. And yup, hadn't backed up. Duuuh.

**allendick** · 02-28-2005 08:24 AM

Anybody use the Invision board, available from cPanel? I have one of them and, so far have not heard of any problems. (Not that I have been looking hard).

allen

**TechWeasel** · 02-28-2005 10:58 AM

I've never set up an invision board so I don't know what it's like from an admin end... Nice user interface, but I believe it requires a $70 per year user license, does it not?

**allendick** · 02-28-2005 11:13 AM

Really?

It is in the Scripts Library in cPanel, and I don't see any mention of that. I have two installations and neither has given any trouble. (Actually, sinc I am looking, I notice that there is an update in the cPanel. OK. I just ran it. No problem.)

Frankly, I haven't done any admin on it for a year, so don't recall.

I'll have to take a look.

allen

**allendick** · 03-02-2005 10:43 AM

"I've never set up an invision board so I don't know what it's like from an admin end... "

I've had two set up for a while, but they are not my main boards. In fact, they are almost totally unused. I set one up with the idea of using it in an interractive blog fashion, but never did.

I just took a good look a few minutes ago, and IMO, Invision blows phpBB away on many, many fronts. Also, I have never had any problem with bad posts or emergency update announcements, as I have with phpBB.

I guess what got me started looking is that I wanted to move topics and discussions around on one of my phpBBs and could not find a way. I went to the admin on one of my Invisions and was REALLY impressed at all the options.

For anyone curious, I suggest installing a board to play with. It is easy to blow it away after if it is not what you want.

Anyone have a clue on how to convert my phpBBs into Invison?

allen

**TechWeasel** · 03-02-2005 11:00 AM

Thanks for the heads up, I'll have to check it out.

I'm not convinced that phpbb is any less secure than any other forum software - it's just been hammered this year because it's by far the most adopted system out there (Especially for amateur forum admins who perhaps don't lock down their systems as tight as they should)... thus it's the fattest target for script kiddies. Then again, staying away from "the fattest targets" is not a bad security strategy in and of itself! :-)

As for converting a quick google turned up a wide selection of database converters over at Invision:

http://www.invisionboard.com/?convertors

Their most recent phpbb convertor is from v2.0.6 - however as they mention in this thread the mysql database is the same throughout all the v2 series of phpbb so it should work just fine up to the current v2.0.13... I'd still backup first.

Let us know how it works for you!

(NB: You can move posts in phpbb by clicking the "Mod Thread" button at the bottom of the page (usually looks like a page being ripped in half) which will then let you move and/or split threads...etc.)

**allendick** · 03-02-2005 11:24 AM

As for converting a quick google turned up a wide selection of database converters over at Invision

Thanks

Let us know how it works for you!

Now I just need a 'roundtuit'.

(NB: You can move posts in phpbb by clicking the "Mod Thread" button at the bottom of the page (usually looks like a page being ripped in half) which will then let you move and/or split threads...etc.)

Thanks! I thought that I had seen something like that a long time back, but could not find it.

phpBB could use a more intuitive interface. IMO, anyhow.

Maybe that will solve the problems enough that I won't convert. We'll see. It appears that there are a lot of useful bells and whistles on Invision

allen

**cmyksteve** · 05-07-2005 02:35 PM

Version 2.0.15 of phpBB was just released for bug fixes, but they also mention one serious security fix. Here's a link to their announcement on the phpBB forum.

And a link to the udated files in their download area.

**cmyksteve** · 06-27-2005 02:57 PM

The phpBB Group announces the release of phpBB 2.0.16. This release addresses some bugfixes and one critical security issue.

Here's a link to their 2.0.16 updater files

Steve

**allendick** · 12-05-2006 06:32 AM

I got tired of SPAMmers finding my one of my phpBBs by using Google and then signing up and posting junk--or just listing a dangerous URL in the members list (that can even happen if they are not approved to post), so I tried renaming the directory where it is located, then adding that directory to my robots.txt.

I used FrontPage to rename the directory, so I don't know if it worked any special magic while renaming, but I suspect it did not, so any otta work. I also changed the scripts directory pointer in the phpBB configuration panel to the new name. That's all I did as far as the forum is concerned. Of course, I also changed the links on my site to the new location as well.

Seems to work--so far--and the forum runs fine. No SPAM!

I realise that not everyone wants their forum hidden from Google, but, for those who don't care if it is indexed, here is a solution.

YMMV.

allen