Security
In December 2004, a large number of Web sites were defaced by the Santy worm, which used vulnerabilities in outdated versions of phpBB2 to overwrite PHP and HTML pages. Although these were the result of outdated versions of PHP and phpBB, incidents like these have caused the security of phpBB to be disputed. There have also been a few times where new releases of phpBB have come out a few days apart, although the last occurrence of this was in early 2005. However, the phpBB Team usually responds to security reports as soon as possible, and releases a new version quickly. The phpBB Group, attempting to learn from previous failures, performed a codebase security audit before the release of 2.0.18. The phpBB3 codebase received an external security audit in September 2007, which was done by SektionEins. The sixth release candidate of phpBB3 was published following the results of the security audit.
Changes were made to phpBB2 to avoid problems in the future, such as a re-authentication system for the administration panel, backported from phpBB3. This was introduced after a cookie verification issue allowed attackers to gain administrator access.
In November 2005, the phpBB Group announced a new Incident Investigation Team (IIT), a sub-team of their Support Team, which is responsible for assisting users in the cleanup and repair of an attacked phpBB installation and investigating reports of new exploits. The team announced a tracker the following January where administrators of attacked bulletin boards could report an attack and receive support from the IIT.
The CAPTCHA system in phpBB2 has proven vulnerable to automated registrations, with numerous phpBB-based forums being swamped by forum spam. phpBB3 has improved its anti-spam options available to forum administrators, including a new CAPTCHA system, suspensions, user logging and other various features. The phpBB team has published recommendations on protecting the boards from spam. Currently the best method is to use a Q&A (question-answer) challenge, which was introduced into phpBB 3.0.6. phpBB3 has a much stronger CAPTCHA system, however during the phpBB3 development/beta phase it was frequently criticised for being difficult to read. The development team has been working on improving its readability prior to phpBB3's final release.
Additionally, the teams have announced that each minor release of phpBB3 (3.0.1, 3.0.2, etc.) will be preceded by individual release candidates in an effort to prevent instances where subsequent releases would be only days apart (as happened a couple of times during the 2.0.x line).
Read more about this topic: PhpBB
Famous quotes containing the word security:
“There is something that Governments care for far more than human life, and that is the security of property, and so it is through property that we shall strike the enemy.... Be militant each in your own way.... I incite this meeting to rebellion.”
—Emmeline Pankhurst (1858–1928)
“Of course we will continue to work for cheaper electricity in the homes and on the farms of America; for better and cheaper transportation; for low interest rates; for sounder home financing; for better banking; for the regulation of security issues; for reciprocal trade among nations and for the wiping out of slums. And my friends, for all of these we have only begun to fight.”
—Franklin D. Roosevelt (1882–1945)
“... most Southerners of my parents’ era were raised to feel that it wasn’t respectable to be rich. We felt that all patriotic Southerners had lost everything in defense of the South, and sufficient time hadn’t elapsed for respectable rebuilding of financial security in a war- impoverished region.”
—Sarah Patton Boyle, U.S. civil rights activist and author. The Desegregated Heart, part 1, ch. 1 (1962)