This email was just sent to all users, on all servers:

This is the first notice to everyone/anyone who has installed phpBB on their websites. Effective June 15, 2005 phpBB forums will no longer be allowed at HostPC due to multiple vulnerabilities.

We've been patient with the phpBB community, in hopes that they'd release a stable version, yet everyone that's been released this year has been "compromised" within hours of release.

We dont take this decision lightly, but for the security of our customers, we're forced to make this decision.

If you have a phpBB install in your webspace, PLEASE begin the migration to a different format. We're suggesting SM Forums, which looks and acts very similar to phpBB. There's an easy converter script that will allow you to keep all content and users intact while migrating to the new format.

If you have any questions, please check our forums at http://hostpc.com/forums
http://www.hostpc.com/forums/index.php?act...ounce&f=6&id=15 (http://www.hostpc.com/forums/index.php?act=announce&f=6&id=15)

As of June 15, we'll begin actively scanning, and disabling any copies of phpBB found to be active.

Why are you getting this email: We're contacting ALL customers to let them know of this important change. You may not have phpBB installed, this is just a precautionary alert.


HostPC Support

A better alternative to phpBB, Simple Machines Forum (http://www.simplemachines.org/)

Does anyone know what can be done if you have PHPNuke? The integration with PHPbb does not seem simple to change?

Please help... I run a non-profit in my "spare" time and I don't have much of that time available to dedicate to researching this. Many people count on my PHPbb boards daily for support and help with their medical condition, so I can't let it go down.

Thanks in advance for advice...

-a

I was just contacted by the folks at Simple Machines. I thank them for their input, and for volunteering these resources to help our users!


Hello Joe,
One of our users has brought to our attention that you are no longer allowing phpBB on your servers. They also informed us that you are recommending our software, SMF. For the sake of consistency, the name of our software is either SMF or Simple Machines Forum, not SM Forum; this is however a common mistake. We also offer a phpBB to SMF convertor which can be found for free at http:// www.simplemachines.org/download.php/phpbb2_to_smf.php. This has been tested with SMF 1.0.3 and phpBB 2.0.7, although as their newer versions are mainly security fixes there should be no issue. We also offer free, mainly community based, support for convertors at http:// www.simplemachines.org/community/index.php?board=20. Please let me know if you, or your customers, have any questions about converting to our software.

Thanks,
David Recordon
Project Manager
Simple Machines

Originally posted by Joe@May 11 2005, 11:42 AM
I was just contacted by the folks at Simple Machines. I thank them for their input, and for volunteering these resources to help our users!


Hello Joe,
One of our users has brought to our attention that you are no longer allowing phpBB on your servers. They also informed us that you are recommending our software, SMF. For the sake of consistency, the name of our software is either SMF or Simple Machines Forum, not SM Forum; this is however a common mistake. We also offer a phpBB to SMF convertor which can be found for free at http:// www.simplemachines.org/download.php/phpbb2_to_smf.php. This has been tested with SMF 1.0.3 and phpBB 2.0.7, although as their newer versions are mainly security fixes there should be no issue. We also offer free, mainly community based, support for convertors at http:// www.simplemachines.org/community/index.php?board=20. Please let me know if you, or your customers, have any questions about converting to our software.

Thanks,
David Recordon
Project Manager
Simple Machines
Quoted post



I didn't have much on my board but I disabled my phpbb yesterday and setup SMF. I found it to be very simple just like PHPBB, now hopefully much fewer security holes and headaches. . .

:)

Thanks,
Glenn

Powered by PNphpBB2 1.2d © 2003-2004 PNphpBB Group

That version of phpBB was just exploited for PostNuke...

Heads up!

http://secunia.com/advisories/15845/

phpBB 2.0.15 has been exploited ... pretty severely. Upgrades to 2.0.16 are REQUIRED for all users, please update TODAY.

Description:
A vulnerability has been reported in phpBB, which potentially can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "highlight" parameter in "viewtopic.php" is not properly sanitised before being used in a "preg_replace()" call. This may be exploited to inject arbitrary PHP code.

The vulnerability has been reported in version 2.0.15. Prior versions may also be affected.

Solution:
Update to version 2.0.16.
http://www.phpbb.com/downloads.php

have you considered just putting the phpbb exploits on some sort of CRON ;)

wow, the day a host bans phpbb from their servers is a sad day....its unbelievable that you "blame" phpBB for anything that happens in YOUR servers.

as said by phpBB project manager psoTFX

Originally posted by psoTFX
It's been brought to our attention over recent weeks that some hosts are banning or disuading the use of phpBB (sometimes involving fees for conversion to other boards). This is unfortunate for everyone and seems largely to be based on FUD.

While phpBB has and no doubt will continue to suffer from exploits (show me a piece of software that doesn't!) we have consistently addressed such issues very quickly. Equally some hosts are doubtles blaming phpBB for exploited systems when in fact the actual culprit is one of the many other apps which have suffered recent major or significant issues (vB, AWStats, etc.).

I would appreciate it if anyone affected by hosts taking such actions would contact me with relevant details and if possible a contact point.

If any script has exploits through them that put the servers at risk, soley because of a weakness in that script, you actually don't hold PHPBB accountable? What the heck? I find it unbelievable that you feel otherwise, but, of course, are perfectly within your rights to have that opinion. What you suggest is that scripts can not be held responsible for security breaches, and well, that is just incorrect.

PHPBB has constant exploits found, updates on a regular basis, I certainly will give them that, when one is reported they often fix it quickly, but, when you can't count on users to actually apply the updates, what choice does a host have? Either you have one lazy user put the entire server and all it's users at risk, or you ban the script.

I certainly am in no position to speak for HostPC, however, if I owned a hosting company, I'd ban the script as well.

The number one reason we chose to ban phpBB was not because the script is faulty - every script has issues sometimes during it's life.

I've heard the rationale that "but they issued a fix for it within days after it was found". My response is simple when you stop and think about it. Do you really expect users to update their software immediately EVERY time there's a patch? Sorry, it doesn't happen. Most of the copies we snagged were several versions old.

It's not phpBB inherently I have a problem with. What I do have a problem with is making ANY user be required to upgrade 5 times in the course of one year. Bottom line is they're just NOT going to do it as soon as the release comes out - which leaves the server vulnerable.

its unbelievable that you "blame" phpBB for anything that happens in YOUR servers.

Dont blame "our servers" - if the software itself wasn't buggy, there wouldn't be published exploits, which require the user intervention to update 5 times/yr (and there was at least one instance where there were 2 updates inside a month).

Originally posted by Joe@Jul 23 2005, 12:14 PM
It's not phpBB inherently I have a problem with. What I do have a problem with is making ANY user be required to upgrade 5 times in the course of one year. Bottom line is they're just NOT going to do it as soon as the release comes out - which leaves the server vulnerable.

Not to be contrary, but SMF 1.0 was released Dec 29, 2004. SMF 1.0.5 was released on Jun 20, 2005. That is 5 updates in less than six months. Going by memory (which could be mistaken), I think that each of these updates fixed security issues.

Since Nov 2004, phpBB has gone from 2.0.10 to 2.0.17. That is 7 updates in 7 months. Really not much difference than SMF over roughly the same timeframe.

Also consider PHPBB isone of the most widely known open source forum scripts, which makes it much more of a target, just look at some of the damage done when a PHPBB exploit is found and distributed, there have been some very WIDE SPREAD hacks and attacks due to it just because it's widely used and widely known...much the same reason microsoft is such a target, because it is exploitable and it's well known.

Unless people want auto-updating code, exploits and similar problems are here to stay. In SMF's favor, the admin interface automatically checks for updates and lets one know.

Originally posted by eugene@Jul 24 2005, 09:06 AM
In SMF's favor, the admin interface automatically checks for updates and lets one know.
Quoted post

phpbb does that now as well

Ok, this was just pointed out to me - I feel compelled to share it with you.

A recent post at Netcraft: http://news.netcraft.com/archives/2005/07/...es_persist.html (http://news.netcraft.com/archives/2005/07/08/hosts_ban_phpbb_as_security_issues_persist.html)

says:

The latest security incident involves a security flaw in a file called viewtopic.php, which was attacked by the Santy worm. UPDATE: Our initial report suggested the security hole in phpBB 2.0.15 was the same flaw found in version 2.0.11 and targeted by the Santy worm. The latest flaw is actually in a different section of the viewtopic.php code, according to Ashley Pinner of the phpBB support team. A fix is included in a new update of phpBB, which has had persistent security problems in recent months.

Our initial report suggested the security hole in phpBB 2.0.15 was the same flaw found in version 2.0.11 and targeted by the Santy worm. The latest flaw is actually in a different section of the viewtopic.php code, according to Ashley Pinner of the phpBB support team. -

Different part, same issue. You think they'd have caught that??

Sheesh.

As one of my tech's just said:

they shold just call it phpbbXP or MSphpbb

After reading this thread I have this to say:

I have checked the New Users / Pre-sales section in the forums, the FAQ sections and even the acceptable use policy. I can not find anything that says that PBPBB is not allowed for customers until I read this thread in the forums. I looked for this post after being told by support that it was not allowed on HostPC after it was installed.

Here are a few questions/statements that need to be asked and pointed out after reading the forums for all the info I could find and taking up a lot of my time:

Why are we directed to use Simple Machines Forums when HostPC uses Invision forums? It does not give me a good feeling when my host provider does not use what they recommend.

Also, to ban it from your servers is not a service to your competent customers. For those that do not patch their software and listen to your warnings you suspend their accounts. This way you are FAIR to your paying customers that understand the problem and also fair with the people that do not correct it. That is not only the proper way to handle this it is the easiest for both support and your customers. Forcing people and banning software on the fact that people are lazy is not good business. Suspending people that do not comply is.

As said on many websites, PHPBB is the most popular forum software out there. With that said it is also easy to understand that it would be the one to have the most "insert problems here" with it. No different with Microsoft stuff or even (pick your favorite version of) Linux now that it is also more popular.

Anyways, if the stance is that PHPBB is not wanted or allowed here then it should have its own link in the main menu (like the Secure FormM@iler does) and it should be listed that is is not allowed in the Acceptable Use policy (which it is not). I am not happy that I have to research something else to fit my already made plans for something that was not easily pointed out.

For starters I'd like to submit that Invision is not a free forum, SMF is, which is why it is recommended in addition to being more secure then PHPBB...at least at this time.

Originally posted by Tierma+Sep 5 2005, 04:52 PM--><div class='quotetop'>QUOTE(Tierma @ Sep 5 2005, 04:52 PM)</div><div class='quotemain'>Also, to ban it from your servers is not a service to your competent customers. For those that do not patch their software and listen to your warnings you suspend their accounts. This way you are FAIR to your paying customers that understand the problem and also fair with the people that do not correct it. That is not only the proper way to handle this it is the easiest for both support and your customers. Forcing people and banning software on the fact that people are lazy is not good business. Suspending people that do not comply is.
[/b]

Two major flaws with this argument:

1. There are too many customers who aren't "competent" and don't ever upgrade their software. They install and forget...

2. New exploits have been being released for phpbb as fast as patches are being made. It's a popular product that's full of holes - that's why its an incredible target right now... That's why it's banned at HostPC (and several other reputable hosts!)

Plus, can you imagine the work involved in constantly scanning every single account to see which version of phpbb is installed?!

<!--QuoteBegin-Tierma@Sep 5 2005, 04:52 PM
Anyways, if the stance is that PHPBB is not wanted or allowed here then it should have its own link in the main menu (like the Secure FormM@iler does) and it should be listed that is is not allowed in the Acceptable Use policy (which it is not). I am not happy that I have to research something else to fit my already made plans for something that was not easily pointed out.
[/quote]

You're right. It should be listed in the AUP. It was probably just an oversight... When Joe (et.al.) made this decision, they were incredibly busy fighting the fires caused by the aforementioned phpbb exploits.

Originally posted by Tierma@Sep 5 2005, 05:52 PM
After reading this thread I have this to say:


As said on many websites, PHPBB is the most popular forum software out there. With that said it is also easy to understand that it would be the one to have the most "insert problems here" with it. No different with Microsoft stuff or even (pick your favorite version of) Linux now that it is also more popular.



Right, phpBB is very popular which is why I finally brokedown and started writing some code for it. But after having gone through the phpBB code line by line (for 30+ files and more to go) I can say the problem with phpBB is not that it is popular and is constantly under attack. I ran a comparison diff on phpBB of 2 years back and on the latest release. I was surprised to find that the code base has not changed. Even some bugs associated with older PHP versions and bad coding practices are still inplace just as they were 2 years ago. This is also the main problem with Form mailer. In an effort to remain the most popular software phpBB developers have puposely overlooked advances in PHP and the web in general. While Form Mailer is no longer being actively developed and has this as an excuse for being a security risk, phpBB does not enjoy the same excuse.

Will phpBB 3 fix this problem? Lets hope so.

Interesting c, thanks for the insite. I never looked through the code, I just no that I have no desire to run a script that needs a new patch every couple days, I have enough of that with my OS :-)

That's a lot of the reason I encourage people to roll their own, if it's a one off script, even if it's insecure and crappy, there is far less odds of somebody trying to hack a script that will only allow them to hack one little site...plus ya learn a little sumthin each time ya write some code...which is good too.

Originally posted by ozee@Sep 6 2005, 07:49 AM

Two major flaws with this argument:

1. There are too many customers who aren't "competent" and don't ever upgrade their software. They install and forget...

2. New exploits have been being released for phpbb as fast as patches are being made. It's a popular product that's full of holes - that's why its an incredible target right now... That's why it's banned at HostPC (and several other reputable hosts!)

Plus, can you imagine the work involved in constantly scanning every single account to see which version of phpbb is installed?!



With issue 1 you quoted that is not an argument, it is a statement. Just suspend the ones that do not comply. If you have 10 phpbb forums on your server and only 1 out of those 10 knows what they are doing then you need to suspend the 9 that do not understand or even care. It is wrong to just take it away from everyone.

For issue 2 there were each and every time patches for the problems that surfaced. To suspend the account while giving the customer the time to fix the problem would of been the right choice.

If I were a customer of HostPC for several years and kept my website up to date and had a huge website with tons of serachable data this solution is absolutely not acceptable. If you told me that I had to change when there was nothing wrong with my website then you would lose me as a customer.

As for the work involved it is not all that hard. If you have 100 accounts on one server all you have to do is use "locate phpbb" to find the users that have it installed. From there you can use whatever commands with grep to find the versions and then send off emails to the people that are the problem users.

Not very hard to do at all.

As it was answered and suggested after I posted that it should be at least easier to find what is allowed and not allowed on this host. I understand that there are some providers out there that see this is a problem. I also understand that there are many more that do not.

In other words, when there is a solution to the problem then fix the problem. If you get a broken arm you do not amputate your arm to fix the problem. You see a doctor and get it set in a cast. By saying that I can not even see the doctor to get that done is the same thing by not allowing your customers to have access to that software.

There is a pretty big chasm between whats "not hard" and what is "time consuming"...it's not hard to dig a 10' diameter hole in the ground 2 feet deep, but it takes a while...

all this back and forth here is pointless...the fact is that HostPC doesn't allow phpbb - nothing more needs to be said other than that fact should be mentioned clearly in the AUP/TOS.

I don't mean to stir the pot here... but in this thread:
http://www.hostpc.com/forums/index.php?showtopic=2352

which points to this list of available software via the installatron:
http://hostpc.com/content/view/163/2/

phpBB 2.0.17 is listed as available there - and that post was made in August when the decision to ban phpBB was made in May.


...just sayin'...

Originally posted by OpAckFan@Sep 8 2005, 02:39 PM
I don't mean to stir the pot here... but in this thread:
http://www.hostpc.com/forums/index.php?showtopic=2352

which points to this list of available software via the installatron:
http://hostpc.com/content/view/163/2/

phpBB 2.0.17 is listed as available there - and that post was made in August when the decision to ban phpBB was made in May.


...just sayin'...
Quoted post


You'll notice that phpBB (and a couple others) are not available through Installatron any longer.

I see phpbb is now listed on Installatron... are we allowed to use it again?

Probably not. It is probably an artifact of a new installation of DirectAdmin. I tried to install phpbb about a week ago and could not find the files after upoading them.

I am going to take a time out and get open source political here. I am personally boycotting SMF because of their licensing. Even though they themselves have admittadly "expanded" from YaBB SE a GPL open source project the SMF license is not GPL. In otherwords they have changed the license to make SMF "free" but not free software. They are not even considering a dual license.

After getting burned by PHPedit, IPB forum and several other "free" products I am personally urging the use of full free GPL software or making a purchase of compatible software. For my customers that cannot afford vBulliten I am installing FUD forum.

If your are going commercial with something don't hide the fact.

http://news.netcraft.com/archives/2005/12/...urity_hole.html (http://news.netcraft.com/archives/2005/12/22/exploit_targets_new_phpbb_security_hole.html)

An exploit has been released for a new security hole in phpBB, the popular web forum software. The attack has the potential to compromise any phpBB installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

Some web hosts have banned the use of phpBB (http://news.netcraft.com/archives/2005/07/08/hosts_ban_phpbb_as_security_issues_persist.html), citing ongoing security problems (http://news.netcraft.com/archives/2005/02/22/more_security_problems_for_phpbb.html). Hackers often seek out vulnerabilities in forum software, which typically offers many fields that all must check input to detect malicious code.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 224,000 registered members of its user forum. A number of web hosts offer phpBB as an account add-on that can easily be installed by users.

Users on 2.0.18 are not affected - this is targetting those forums still on versions around 2.0.10 at present.

This is according to PHPBB.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=348139

I learned not to use phpbb the hard way and I suggest that you all don't.
It's not fun when a server starts sending hundreds of thousands of spam e-mails...

Also, that new version does not help at all...

SMF is the way to go :) (if you do not want to spend money for IPB etc...)

so much hate

Is PHPBB still going to be banned? Has it gotten better in the past couple of months with the new version being released?

Considering its long track record of security problems, its probably going to take a lot of convincing for joe to think about allowing it again.

I, for one, hope it never get reinstated.

Is PHPBB still going to be banned? Has it gotten better in the past couple of months with the new version being released?


phpBB has not earned enough trust in my book to be re-instated yet.

For a while, Joomla/Mambo were having some pretty serious issues, but they've immediately cleaned up the issues and saved themselves from our blacklist because of their proactive support and programming. Until phpBB authors start releasing stable products that aren't exploited within days/hours of their release, I wont even consider it.

If you don't let people use phpbb, your going to lose customers. Alot of people still use it just like vbulletin and smf. Frankly, I like vbulletin and smf better but i'd rather not lose customers because of it. Everything has security flaws including vbulletin but of course with a project like phpbb being so popular. Its out of there control it seems to me. Thank you for your time.

I'm aware of the fact that by prohibiting phpBB we aren't attracting every customer. However, I prefer to keep our servers secure and stable - being proactive rather than reactive. We've had this policy for 18 months, I dont see it changing anytime soon.

Joe

Are you allowed to buy hosting from a different provider and link to phpbb?

You mean host your phpbb on another site and your main site here? Yes you can. Just no phpbb can be installed here.