phpBB security update - Page 2

allendick · 02-21-2005, 10:15 PM

I got both the patch and the changed files with no problem earlier today.

allen

allendick · 02-21-2005, 10:37 PM

Actually for 2.0.11 to 2.0.12, it appears that there are only 14 files -- 66,900 bytes -- in various directories to over-write. I'm upgrading now, as soon as I finish a backup.

The instructions say "As for the other upgrade procedures you should run install/update_to_latest.php after you have finished updating the files. This will update your database schema and data (if appropriate) and increment the version number."

I see no install directory in the kit, and, of course I blew away the old one after the last upgrade. I wonder if they left it out and the upgrade is incomplete?

I should know shortly.

allen

allendick · 02-21-2005, 10:41 PM

Well, my board still runs, but does not display the version at the bottom.

Now for the next one...

allen

cmyksteve · 01:31 AM

Quote:

Originally Posted by allendick

Well, my board still runs, but does not display the version at the bottom.

Reading on the phpBB forum, that's one of the changes. Seems the Santy worm keyed on that to find vulnerable boards.

At midnight, the SourceForge downloads interface is still broken. There's some kind of redirect that's screwing up the downloads. So as of Monday midnight anyway- clicking these links won't work. But pasting them into your browser will deliver the files.

Quote:

Originally Posted by aam in phpbb.com's forum

allendick · 02-22-2005, 12:16 AM

Yup, that worked, so I downloaded again, since the admin panel complained in red type that I was running an old version, even after the upgrade.

Same files, though, as far as I can tell. Still no 'install' directory or file to run to complete the upgrade.

allen

cmyksteve · 02-22-2005, 01:24 AM

Quote:

Originally Posted by allendick

Same files, though, as far as I can tell. Still no 'install' directory or file to run to complete the upgrade.

allen

Allen-

I did get to run install/update_to_latest.php with the Changed Files package I downloaded. There were four folders already "unstuffed" (see the screen shot) before I opened the 2.0.11_to_2.0.12.tar archive.

So in addition to "the contents" of the folders in the 2.0.11_to_2.0.12.tar archive, I also uploaded the one file from inside the cache folder and the whole folders install and contrib. Then ran install/update_to_latest.php I was then locked out of my board until I deleted those directories again.

My Fantastico doesn't show any phpBB2 installed in that account. I'm assuming that's because I didn't use Fantastico to create that board.

Steve

allendick · 02-22-2005, 02:10 AM

Okay, thanks. That solved my problem. I was not unzipping the outer archive before unzipping the inner archive, and this did not see the other folders.

Seems all is well, now.

allen

cmyksteve · 02-22-2005, 02:15 AM

The next board I updated from 2.0.11 to 2.0.12 went well also. Here's a screen shot after I ran
Code:

http://mydomain.com/install/update_to_latest.php

In this account, Fantastico shows the version number when I first installed the board. The board's been updated several times since (without using Fantastico) and those version changes didn't register with Fantastico.

allendick · 02-22-2005, 02:25 AM

Yup. Just finished all mine.

FWIW, I notice that mine says 'mysql14', not just 'mysql', as in yours. Otherwise, it is the same.

allen

cmyksteve · 02-22-2005, 02:28 AM

I just checked at phpbb.com and can now get the updates through their regular SourceForge channels.
Downloads page for 2.0.12 updates is working again.

cmyksteve · 10:58 PM

phpBB has another update- labeled Critical. Here's the info behind the update phpBB Announcement

Here's their link for the files you'll need to keep your forum safe from attack. phpBB 2.0.13

allendick · 02-27-2005, 10:39 PM

Thanks for that. I've done one. Three more to go.

Hey! I'm getting pretty good at this!

allen

stratplan · 02-28-2005, 05:50 AM

Quote:

Originally Posted by allendick

Hey! I'm getting pretty good at this!
allen

Wish I was! I wiped out an installation of Mambo with an update. And yup, hadn't backed up. Duuuh.

allendick · 02-28-2005, 08:24 AM

Anybody use the Invision board, available from cPanel? I have one of them and, so far have not heard of any problems. (Not that I have been looking hard).

allen

TechWeasel · 02-28-2005, 10:58 AM

I've never set up an invision board so I don't know what it's like from an admin end... Nice user interface, but I believe it requires a $70 per year user license, does it not?

allendick · 02-28-2005, 11:13 AM

Really?

It is in the Scripts Library in cPanel, and I don't see any mention of that. I have two installations and neither has given any trouble. (Actually, sinc I am looking, I notice that there is an update in the cPanel. OK. I just ran it. No problem.)

Frankly, I haven't done any admin on it for a year, so don't recall.

I'll have to take a look.

allen

allendick · 03-02-2005, 10:43 AM

"I've never set up an invision board so I don't know what it's like from an admin end... "

I've had two set up for a while, but they are not my main boards. In fact, they are almost totally unused. I set one up with the idea of using it in an interractive blog fashion, but never did.

I just took a good look a few minutes ago, and IMO, Invision blows phpBB away on many, many fronts. Also, I have never had any problem with bad posts or emergency update announcements, as I have with phpBB.

I guess what got me started looking is that I wanted to move topics and discussions around on one of my phpBBs and could not find a way. I went to the admin on one of my Invisions and was REALLY impressed at all the options.

For anyone curious, I suggest installing a board to play with. It is easy to blow it away after if it is not what you want.

Anyone have a clue on how to convert my phpBBs into Invison?

allen

TechWeasel · 03-02-2005, 11:00 AM

Thanks for the heads up, I'll have to check it out.

I'm not convinced that phpbb is any less secure than any other forum software - it's just been hammered this year because it's by far the most adopted system out there (Especially for amateur forum admins who perhaps don't lock down their systems as tight as they should)... thus it's the fattest target for script kiddies. Then again, staying away from "the fattest targets" is not a bad security strategy in and of itself! :-)

As for converting a quick google turned up a wide selection of database converters over at Invision:

http://www.invisionboard.com/?convertors

Their most recent phpbb convertor is from v2.0.6 - however as they mention in this thread the mysql database is the same throughout all the v2 series of phpbb so it should work just fine up to the current v2.0.13... I'd still backup first.

Let us know how it works for you!

(NB: You can move posts in phpbb by clicking the "Mod Thread" button at the bottom of the page (usually looks like a page being ripped in half) which will then let you move and/or split threads...etc.)

allendick · 03-02-2005, 11:24 AM

Quote:

As for converting a quick google turned up a wide selection of database converters over at Invision

Thanks

Quote:

Let us know how it works for you!

Now I just need a 'roundtuit'.

Quote:

(NB: You can move posts in phpbb by clicking the "Mod Thread" button at the bottom of the page (usually looks like a page being ripped in half) which will then let you move and/or split threads...etc.)

Thanks! I thought that I had seen something like that a long time back, but could not find it.

phpBB could use a more intuitive interface. IMO, anyhow.

Maybe that will solve the problems enough that I won't convert. We'll see. It appears that there are a lot of useful bells and whistles on Invision

allen

cmyksteve · **phpBB Security update to 2.0.15 -** 05-07-2005, 02:35 PM

Version 2.0.15 of phpBB was just released for bug fixes, but they also mention one serious security fix. Here's a link to their announcement on the phpBB forum.

And a link to the udated files in their download area.

cmyksteve · **phpBB security update -** 06-27-2005, 02:57 PM

The phpBB Group announces the release of phpBB 2.0.16. This release addresses some bugfixes and one critical security issue.

Here's a link to their 2.0.16 updater files

Steve

allendick · **phpBB Tip -** 12-05-2006, 06:32 AM

I got tired of SPAMmers finding my one of my phpBBs by using Google and then signing up and posting junk--or just listing a dangerous URL in the members list (that can even happen if they are not approved to post), so I tried renaming the directory where it is located, then adding that directory to my robots.txt.

I used FrontPage to rename the directory, so I don't know if it worked any special magic while renaming, but I suspect it did not, so any otta work. I also changed the scripts directory pointer in the phpBB configuration panel to the new name. That's all I did as far as the forum is concerned. Of course, I also changed the links on my site to the new location as well.

Seems to work--so far--and the forum runs fine. No SPAM!

I realise that not everyone wants their forum hidden from Google, but, for those who don't care if it is indexed, here is a solution.

YMMV.

allen

SailFan · 12-05-2006, 07:56 AM

Also, there are some pretty effective spam post prevention MODs available...

http://www.phpbb.com/phpBB/catdb.php?cat=57