phpbb.com— We are pleased to announce the availability of the phpBB3 Beta1 package. With this first beta release we are officially starting the beta testing phase.
Jun 18, 2006View in Crawl 4
"Ofcourse you can post to an SMF forum from ANY ip address, just as you can goto google with ANY ip address. "No, you don't quite get it. I can spoof my IP to be any IP by setting the X-Forawrded-For to an IP address. This allows me to masqurade as being another user (as most people assume that if they post by the same IP, they are the same person), bypass IP bans, and also allows me to not have any IP logged at all (as if you set something invalid for X-Forwarded-For, SMF doesn't log the IP address)."You cannot use XSS, that was patched in 1.0.7"I didn't say XSS in the X-Forwarded-For. I mean XSS in image uploads and avatars."path disclosure does not seem to exist"<a class="user" href="http://www.example.com/smf/index.php?board[]=1">http://www.example.com/smf/index.php?board[]=1</a>That will produce something similar to a PHP notice about a variable being an array rather than a string, and give the line and path to the file at which the error occured (QueryString.php) (Of course, any competent admin should not be running PHP with error reporting set to display on the screen, but this exploit worked on SMF's own site...)"system access?"As in I can put files on your server which runs SMF? "Please do show me some proof of concepts"<a class="user" href="http://www.google.com/search?q=SMF">http://www.google.com/search?q=SMF</a> X-Forwarded-For spoofing (you'll find links to copies of my advisory)As for the rest, due to their nature, I've only reported them to the SMF team, of which my last e-mail sent on June 5th has had *no* reply.Jessica
this is bad news for people who like to mod their forums, as the back end is much harder to understand than phpbb2. the current mod community is huge, I'm guessing for phpbb3 its going to be tiny.
Glad to see phpBB3 finally making its debue, even if it has been a little delayed. I've used phpBB for four years and I anxiously await version 3. I have a very heavily modified board and while it took a lot of work to get to where I am now, after reading the feature list for the new phpBB I see a lot of features I have managed to add over the years. It will be nice to have them in the vanilla the next time around! I have authored a few hacks/mods for phpBB myself and while I have not had a chance to look at the backend for phpbb3 I am eager to see how much more difficult modification will be.As for other board softwares, I have nothing but respect for users of vB and IPB. I understand the reasoning behind non-gpl-paid board softwares, I just don't agree with it. Why should I pay for IPB when its ugly and I can capture most of its features in phpBB by puting a little time into my site. Sure you say, I have to constantly upgrade to new versions and apply patches and all of that. Tell ya the truth, I installed an outstanding security mod to my board and I can usually run a few versions behind and not have any fears. It carries a lot of protection against sql injection and the like. As for vB, the software is nice, but the kind of board I run wouldnt work very well with it. The kind of modifications I need for it arent available and the setup is just strange. This bias may be present because I came to phpBB with NO php experience. I've learned php through authoring mods, supporting those mods, reading php / mysql books and well, I think that the fact that I was using an opensource software with a wide support community that I came out better than some of these admins using paid softwares. Theres my 2¢
dw2005Jun 18, 2006Submitter
See also:<a class="user" href="http://www.phpbb.com/development/">http://www.phpbb.com/development/</a>Direct link to download:<a class="user" href="http://www.phpbb.com/development/files/phpBB-3.0.B1.zip">http://www.phpbb.com/development/files/phpBB-3.0.B1.zip</a>
jessicahopeJun 18, 2006
"Ofcourse you can post to an SMF forum from ANY ip address, just as you can goto google with ANY ip address. "No, you don't quite get it. I can spoof my IP to be any IP by setting the X-Forawrded-For to an IP address. This allows me to masqurade as being another user (as most people assume that if they post by the same IP, they are the same person), bypass IP bans, and also allows me to not have any IP logged at all (as if you set something invalid for X-Forwarded-For, SMF doesn't log the IP address)."You cannot use XSS, that was patched in 1.0.7"I didn't say XSS in the X-Forwarded-For. I mean XSS in image uploads and avatars."path disclosure does not seem to exist"<a class="user" href="http://www.example.com/smf/index.php?board[]=1">http://www.example.com/smf/index.php?board[]=1</a>That will produce something similar to a PHP notice about a variable being an array rather than a string, and give the line and path to the file at which the error occured (QueryString.php) (Of course, any competent admin should not be running PHP with error reporting set to display on the screen, but this exploit worked on SMF's own site...)"system access?"As in I can put files on your server which runs SMF? "Please do show me some proof of concepts"<a class="user" href="http://www.google.com/search?q=SMF">http://www.google.com/search?q=SMF</a> X-Forwarded-For spoofing (you'll find links to copies of my advisory)As for the rest, due to their nature, I've only reported them to the SMF team, of which my last e-mail sent on June 5th has had *no* reply.Jessica
mqudsiJun 18, 2006
Latest security vulnerability in phpBB:<a class="user" href="http://neosmart.net/forums/index.php?gettopic=26">http://neosmart.net/forums/index.php?gettopic=26</a>
silverspeedJun 18, 2006
Any guesses how long it take people to find an exploit??
mck9235Jun 18, 2006
No, they've caught up with SMF and Pun.
calpinesJun 20, 2006
I still like smf better
jleagleJun 23, 2006
this is bad news for people who like to mod their forums, as the back end is much harder to understand than phpbb2. the current mod community is huge, I'm guessing for phpbb3 its going to be tiny.
ivoryticklerJun 28, 2006
Glad to see phpBB3 finally making its debue, even if it has been a little delayed. I've used phpBB for four years and I anxiously await version 3. I have a very heavily modified board and while it took a lot of work to get to where I am now, after reading the feature list for the new phpBB I see a lot of features I have managed to add over the years. It will be nice to have them in the vanilla the next time around! I have authored a few hacks/mods for phpBB myself and while I have not had a chance to look at the backend for phpbb3 I am eager to see how much more difficult modification will be.As for other board softwares, I have nothing but respect for users of vB and IPB. I understand the reasoning behind non-gpl-paid board softwares, I just don't agree with it. Why should I pay for IPB when its ugly and I can capture most of its features in phpBB by puting a little time into my site. Sure you say, I have to constantly upgrade to new versions and apply patches and all of that. Tell ya the truth, I installed an outstanding security mod to my board and I can usually run a few versions behind and not have any fears. It carries a lot of protection against sql injection and the like. As for vB, the software is nice, but the kind of board I run wouldnt work very well with it. The kind of modifications I need for it arent available and the setup is just strange. This bias may be present because I came to phpBB with NO php experience. I've learned php through authoring mods, supporting those mods, reading php / mysql books and well, I think that the fact that I was using an opensource software with a wide support community that I came out better than some of these admins using paid softwares. Theres my 2¢
Closed AccountNov 26, 2007
Cheapest and the best data recovery service in the world.<a class="user" href="http://www.advanceddatarecovery.co.uk/">http://www.advanceddatarecovery.co.uk/</a>Hard Drive Recovery* All Makes & Models* 48 Hour Turn-Around* Cheapest in UK<a class="user" href="http://www.advanceddatarecovery.co.uk/harddriverecovery.html">http://www.advanceddatarecovery.co.uk/harddriverec ...</a>Raid Recovery* Raid 0,1, 5 & 10* All Raid Servers* Quickest in UK<a class="user" href="http://www.advanceddatarecovery.co.uk/raidrecovery.html">http://www.advanceddatarecovery.co.uk/raidrecovery ...</a>Laptop Data Recovery* All Laptops & Notebooks* 48 Hour Turn-Around* Cheapest in UK<a class="user" href="http://www.advanceddatarecovery.co.uk/laptoprecovery.html">http://www.advanceddatarecovery.co.uk/laptoprecove ...</a>Mac Recovery* All Mac Systems* 48 Hour Turn-Around* Cheapest in UK<a class="user" href="http://www.advanceddatarecovery.co.uk/MacRecovery.html">http://www.advanceddatarecovery.co.uk/MacRecovery. ...</a>Call 0800 075 0720 (Free Call Number)Anthony O'Haresupport@easyrecovery.netsales@easyrecovery.net___________________________________________________________EASY RECOVERY IRELAND<a class="user" href="http://www.easyrecovery.ie/">http://www.easyrecovery.ie/</a>Hard Drive Recovery * All Makes & Models * 48 Hour Turn-Around * Cheapest in Ireland<a class="user" href="http://www.easyrecovery.ie/harddriverecovery.html">http://www.easyrecovery.ie/harddriverecovery.html</a>Laptop Data Recovery * All Laptops & Notebooks * 48 Hour Turn-Around * Quickest in Ireland<a class="user" href="http://www.easyrecovery.ie/laptoprecovery.html">http://www.easyrecovery.ie/laptoprecovery.html</a>Raid Data Recovery * Raid 0,1 & 5 * All Raid Systems * Cheapest in Ireland<a class="user" href="http://www.easyrecovery.ie/raidrecovery.html">http://www.easyrecovery.ie/raidrecovery.html</a>Mac Recovery * All Mac Systems * 48 Hour Turn-Around * Cheapest in Ireland<a class="user" href="http://www.easyrecovery.ie/MacRecovery.html">http://www.easyrecovery.ie/MacRecovery.html</a>Support Center: 0044 2890 961976Anthony O'HareFor more information: sales@easyrecovery.ieFor support updates: support@easyrecovery.ie___________________________________________________________Senpai IT Solutions is a fast growing company with an expanding IT development team. We specialize in software, web, and database development, cryptography, corporate design, and Flash animation. We deliver our solutions to small businesses, corporate customers, financial institutions, and government organizations.<a class="user" href="http://www.senpai-it.com/">http://www.senpai-it.com/</a>SEERVERS<a class="user" href="http://www.senpai-it.com/dedicated_servers.php">http://www.senpai-it.com/dedicated_servers.php</a>SOLUTIONS<a class="user" href="http://www.senpai-it.com/tech.php">http://www.senpai-it.com/tech.php</a>PROJECTS<a class="user" href="http://www.senpai-it.com/projects.php">http://www.senpai-it.com/projects.php</a>ABOUT US<a class="user" href="http://www.senpai-it.com/about.php">http://www.senpai-it.com/about.php</a>CONTACT<a class="user" href="http://www.senpai-it.com/contact.php">http://www.senpai-it.com/contact.php</a>Dedicated Servers?69: 2.8GHz, 2GB RAM, 800GB HDD | ?99: 2.8GHz, 4GB RAM, 800GB HDD | ?229: 3.0GHz, 6GB RAM, 1.5TB HDD<a class="user" href="http://www.senpai-it.com/dedicated_servers.php">http://www.senpai-it.com/dedicated_servers.php</a>Security & CryptographyAttack feasiblisity and security analysis | System security implementation | Remote hands service for your server<a class="user" href="http://www.senpai-it.com/tech.php#crypto">http://www.senpai-it.com/tech.php#crypto</a>E-CommerceDevelopment of web shops | Development of financial software | Development of e-paymet systemsE-Commerce