What is Digg?114 Comments
- AJRiddle, on 10/12/2007, -1/+31You can see it live at http://area51.phpbb.com/phpBB
- JessicaHope, on 10/12/2007, -6/+28Oh please. I reported four diffrent security problems to SMF over *three months* ago, and I've seen no new release, and very little reply from the SMF lot. Hell, as it stands, I can post from any IP in the world on a SMF forum, I can also do path disclosure, XSS and finally, system access (in certian setups). You call that secure?
As for features, phpBB 3 has more permission options, better layout, better code and a better list of supported database types (poke me when you can install SMF on PostgreSQL, Firebird, MSSQL, SQLite and Oracle without modifing the code..).
Finally, SMF's licence isn't GPL, and that does leave the possibility that they might pull an IPB and start making non-free versions, and then drop support for their old versions. Don't say it won't happen, as if they are not going to do it, they would make it GPL...
Jessica - dw2005, on 10/12/2007, -1/+22See also:
http://www.phpbb.com/development/
Direct link to download:
http://www.phpbb.com/development/files/phpBB-3.0.B1.zip - SniperX, on 10/12/2007, -6/+26Did anyone else get this chilling feeling thinking of a new major phpBB release and the security threats this new one may offer ;x
- Jeffrey903, on 10/12/2007, -0/+15Here are the highlights - http://area51.phpbb.com/docs/features.html
- psyon, on 10/12/2007, -3/+16(Assuming the user name and signature is representative of the sex of the poster)
Dude, you just go schooled by a chick! - X111, on 10/12/2007, -1/+12Pigs fly, the sky is falling, phpBB3 beta 1 is released. The end of the world must be nigh.
Awesome news though, I hope the betas go smooth so we can see a first RC soon. - rickyboone, on 10/12/2007, -3/+13Give the phpBB developers some credit. Yes, it's had several security related patches, but they've typically released said patches relatively quickly. If you feel you can do better, the least you could do is give them a hand.
- nitr021, on 10/12/2007, -1/+10########
here is some screens of the new admincp
http://www.theadminzone.com/forums/showthread.php?t=23872 - Jeffrey903, on 10/12/2007, -2/+10Wow, I never thought this was coming. It was pushed back so many times, developers left the team, and promises were broken.
Hmmm....sounds a lot like another software team I've heard of. - kyriakos, on 10/12/2007, -0/+8I solved it by banning *@mail.ru ..
- psyon, on 10/12/2007, -2/+10@dude3609
I think you are the perfect example of the problems plaguing Digg lately. - Jeffrey903, on 10/12/2007, -4/+9I was actually thinking Microsoft, but Sony also fits that description.
- iDealL, on 10/12/2007, -0/+5Thank GOD we finally get subforums and attachments! This is great news; if we didn't get those any sooner I was about to switch over to SMF. Looks like I won't have to now...thanks phpBB team!
- JessicaHope, on 10/12/2007, -1/+6"Ofcourse you can post to an SMF forum from ANY ip address, just as you can goto google with ANY ip address. "
No, you don't quite get it. I can spoof my IP to be any IP by setting the X-Forawrded-For to an IP address. This allows me to masqurade as being another user (as most people assume that if they post by the same IP, they are the same person), bypass IP bans, and also allows me to not have any IP logged at all (as if you set something invalid for X-Forwarded-For, SMF doesn't log the IP address).
"You cannot use XSS, that was patched in 1.0.7"
I didn't say XSS in the X-Forwarded-For. I mean XSS in image uploads and avatars.
"path disclosure does not seem to exist"
http://www.example.com/smf/index.php?board[]=1
That will produce something similar to a PHP notice about a variable being an array rather than a string, and give the line and path to the file at which the error occured (QueryString.php) (Of course, any competent admin should not be running PHP with error reporting set to display on the screen, but this exploit worked on SMF's own site...)
"system access?"
As in I can put files on your server which runs SMF?
"Please do show me some proof of concepts"
http://www.google.com/search?q=SMF X-Forwarded-For spoofing (you'll find links to copies of my advisory)
As for the rest, due to their nature, I've only reported them to the SMF team, of which my last e-mail sent on June 5th has had *no* reply.
Jessica - tizz66, on 10/12/2007, -3/+7Wow, they've finally caught up to IPB/vB.
- mrWoot, on 10/12/2007, -1/+5They have in noway "caught up" with vBulletin.
- Greg-J, on 10/12/2007, -0/+4--
Awesome!
Excuse me, PhpBB, 1999 called. They want their session ID's back.
-- - agoodm, on 10/12/2007, -0/+4Check out this: http://digg.com/links/phpBB3_beta_install_to_try_out enjoy!
- FearNLoathing, on 10/12/2007, -2/+6I wonder if they are running it now... what better way to stress test your latest release than to link to it on digg ;)
- kyriakos, on 10/12/2007, -0/+4@stardustwd
making everything OO doesnt necessarilly make it better, error free or more efficient (actually efficiency is a hot debate on this matter). I work professionally as a developer for the past 4 years and from my experience and studies I can tell you as a fact that OO is not suited for every application. - SWGreg, on 10/12/2007, -0/+3I really like the AdminCP design, it's a real change from the old frame design phpBB 2.x had. Compared to vBulletin, phpBB's admin cp is superior to the vB one (although less features).
- kudos, on 10/12/2007, -1/+4Are you just linking to a blog of your own? That's the only reason I can think of for you to post a link that contains nothing over the original article.
- dchesterton, on 10/12/2007, -1/+4"phpbb has the same problem as windows basically. its used everywhere - making it easier to find the hidden exploits."
That maybe true but the main reason PHPBB has so many exploits is because its the most memory intensive, non-extensible, spaghetti-code ridden piece of crap out there. Honestly, haven't these so called 'experts' learnt about classes and objects, it is honestly an awful piece of software which any decent developer should have worked out by now.
Yes, its good for those without any technological knowledge but for any one else its a great steaming pile of crap. - yum9me, on 10/12/2007, -2/+5Any one got it installed so we can see it live in action?
- clokwise, on 10/12/2007, -1/+4STILL no native support for UTF-8??????!!!!!
I give up. This has been promised for so long now.
This is a MUST HAVE feature for anyone using non-roman based character sets. Yes, there are kludges and workarounds, but they are a major pain in the ass, and then every time you want to upgrade phpBB you have to re-fix all your kludges. Totally sucks. - kyriakos, on 10/12/2007, -0/+3thats not exactly true. most of the times you dont have to install the new version cause the patches come out separately and you can apply them in minutes. you only have to upgrade to major releases and those dont come out very often. I run a forum with 32000 members on mysql with phpbb2 and I'm quite happy with it. had to do some modifications to make things faster in large topics but all these are well documented. its definitely not the kind of software that does everything out of the box but there's a very strong community behind it and I've yet to post in their forum without getting a good reply within a few hours.
there's a page listing the largest boards in the world (www.big-boards.com) if you have a look you'll see phpBB is used in the largest one with 3988867 members.. - kyriakos, on 10/12/2007, -0/+3phpbb has the same problem as windows basically. its used everywhere - making it easier to find the hidden exploits. cause its the first choice for everyone it means its run by admins who have no clue how to secure it properly or apply updates when they become available leaving it wide open to known exploits.. its an unfortunate side effect of something being popular in the software world.
- cyssero, on 04/18/2009, -0/+3*Blinks*
I cannot believe it. Very, very good news. Anyone who has been following phpBB 3's journey will know how long we've waited for this one. Excellent :) - echimu, on 10/12/2007, -0/+3I hope problem related to spam bot fixed in this version.
- lcarsdeveloper, on 10/12/2007, -1/+4As much as I hate to drone on about AJAX, the vBulletin AJAX features are fantastic. Like double-clicking on a thread title to edit it, and the AJAX Quick-Reply. Makes me wonder how I got by without it!
Little things like this are missing from phpBB, and for someone who needs to read and moderate every new post, it can mean the difference between spending 20 minutes and 60 minutes a night on your forum.
I really hope phpBB3 can improve on the current release. I know they're working really hard on it, and delaying release to add new features. But I've already made the vBulletin switch, how many others will grow impatient and do the same? - Trekkie101, on 10/12/2007, -1/+4"Oh please. I reported four diffrent security problems to SMF over *three months* ago, and I've seen no new release, and very little reply from the SMF lot. Hell, as it stands, I can post from any IP in the world on a SMF forum, I can also do path disclosure, XSS and finally, system access (in certian setups). You call that secure?"
Ofcourse you can post to an SMF forum from ANY ip address, just as you can goto google with ANY ip address.
You cannot use XSS, that was patched in 1.0.7, path disclosure does not seem to exist hit me up with a report that suggests otherwise, what system access? You mean the bug filed to the trackers that was put up without actually making sure it worked as it didnt. Please do show me some proof of concepts or feel free to email me, or contact the simple machines security address. - syneo, on 10/12/2007, -1/+4> Finally, SMF's licence isn't GPL, and that does leave the possibility that they might pull an IPB and start making non-free versions
GPL does not prevent that. If you develop the software, you hold the copyright. Therefore, you can do whatever you want with the software (except for retroactive actions). - Alegis, on 10/12/2007, -1/+3About time ! Been waiting for years. It looks lovely, but I'll wait before updating the board I'm running until a stable release.
- Luuvitonen, on 10/12/2007, -0/+2You totally forgot Duke Nukem Forever which is about to go gold.
- spyres, on 10/12/2007, -0/+2What you see is not the final theme that will ship with the gold version.
phpBB's subsilver was heavily ripped off even before 2.0 was available, so the new look will only debut with the final release of "Olympus" (phpBB 3.0) - JayBachatero, on 10/12/2007, -0/+2I get what you saying but this is not the place to talk about SMF. I will not reply to this anymore in regards to SMF.
On a side note it's nice to hear that phpBB 3 is soon to be out. I believe the devs deserve a big thumbs up for the work they doing. - JessicaHope, on 10/12/2007, -0/+2"Ok first thing first. That issue with the array in the url has been fixed on the CVS."
Good.
"full reply from Grudge in regards to the X-Forwarder-For"
I generally disagreed with most of his comments about the issue. IP spoofing does allow people to bypass bans and possibly get other people banned. With the ability to also not have any IP logged, this could make it impossible for the novice admin to properly ban a user by IP.
As for the rest, why has there been no replies to my e-mails for months? I've not had any reply back from the XSS exploit I sent them. This is bad communication, and when you're dealing with security related matters, you don't want it. A month is the standard time to give a company before releasing the exploits to the public. With the lack of IP to session control (meaning sessions are not tied to the users IP), XSS could allow an attacker to gain admin access, of which the board is well and truly compromised, and could ultimatly lead to the whole server being exploited. Do you really wish for such info to be public? In my eyes this just shows that SMF doesn't really care about secuirty issues; their heads are too far up in the clouds to see the truth.
I'm sure that as a SMF team member, Jay, you can see where I'm comming from, no?
Jessica - antigoogle, on 10/12/2007, -4/+6phpBB is one of the most active and highly used open source softwares available. You guys don't have right to disrespect these efforts.. Every big software comes with vulnerabilities and bugs, even Firefox too... Because many people use it, see your codes and search vulnerabilities; if the other forum softwares have less vulnerabilities, the reasons are security by obscurity and the fact that they're less exposed to inspections ...
- inactive, on 10/12/2007, -1/+3"let the exploit finding begin"
Absolutely.
Is this actually the most secure forum software any longer?
I doubt it.
Another thought occured to me....
I can't find any RSS capabilities in the new version.
This is practically a no-brainer in today's internet world.
You would think somebody would have the foresight to know this and throw it in there. I have it on all my boards, and don't know how I'd live without it ; ) - JessicaHope, on 10/12/2007, -0/+2Haha, I felt the same way. The current style has been noted by the developers not to be the final style though, so who knows?
Jessica - codplay, on 10/12/2007, -0/+2The RSS/RSS2/ATOM feeds were part of the community coding projects.
(See: http://www.phpbb.com/phpBB/viewtopic.php?t=316489)
Not sure where development on that stands right now. My guess is that it will be in 3.2, but I don't actually know. - syneo, on 10/12/2007, -1/+3I wonder why the comment was moderated down. Where's free speech? Does that mean you can't post that product A is better than product B and in what ways on digg? I use phpbb 2 and am happy with it. But I would like to read what the others think about it. Gee.
- kyriakos, on 10/12/2007, -1/+3ajax mods are available for phpbb2. just not out of the box.. but very easy to install
- JessicaHope, on 10/12/2007, -0/+2Are you sure? UTF-8 appears to work fine here. If you really have problems getting UTF-8 working in phpBB 3, go and add a report: http://www.phpbb.com/bugs/
Jessica - kyriakos, on 10/12/2007, -0/+2one of my board is in greek and works fine. only problem I got was with notification e-mails getting in the wrong encoding but got it fixed with some simple manual changes to the code.
- kyriakos, on 10/12/2007, -1/+3is there a list of new features anywhere?
- sldSquirrel, on 10/12/2007, -1/+3Wow, looks like it's turning into Invision or vBulliten.
I find it kinda hard to be interested in anything other than Vanilla ( http://www.getvanilla.com ) these days. - MalDON, on 10/12/2007, -1/+3Might I ad that when a bug is found in a large closed source program, the result can be horribly bad for everyone. Just look at IE and all the damage that has been caused over the years.
- krokodil, on 10/12/2007, -1/+3I am surprised they have not implemented RSS/ATOM support feeds yet. This is basically a standard feature for this kind of software. Given the popularity of phpBB it is a major shortcoming.
I participate in couple discussions on different sites using phpBB and email notifications of topic updates are driving me nuts. -
Show 51 - 100 of 108 discussions
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is