Upgrade Required : phpBB 2.0.16

**Kayla** · July 3rd, 2005, 8:31 PM

Forum Thread:
Upgrade Required : phpBB 2.0.16

Discussion Thread:
phpBB 2.0.16 Released

Spammers can use outdated phpBB installs to send out their scams. It causes unnecessary mail problems and blacklisting issues. Most of you may be familiar with either of those problems, or both. Besides the spamming issues, there are other types of exploits that can allow outsiders to launch attacks against other servers, among other wrongdoings. This is all certainly negative and unfair for everyone on our servers.

There are many, many outdated versions of phpBB across our network and they are being disabled.

This is the thread regarding the latest version on the phpBB Forum Community
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011

If we can get everyone who uses phpBB at Surpass to upgrade to the latest version at least, it will be better than the point we are at now. At the present time there are scattered versions on all servers, some not even in use. Sometimes phpBB is installed just to test it out (like many other programs), then it sits in waiting on the server as spam bait. We hope this notice gets to everyone and gets the word out about this problem. If everyone who needs to use this program can keep it up to date, then we can continue to allow it on our servers despite the problems that it has a potential to cause. The key to preventing problems is education. That is why it is so important that we bring together our hosting community to our forum so that we can all easily read about current issues and ask any questions.

**Kayla** · July 18th, 2005, 6:14 AM

So far there are not many issues with the clean-up operation. Since we've done this on a few servers so far, the servers seem to be having less issues, but more on those effects later.

I was doing research tonight on how 2.0.11 fixed a critical issue with highlighting that resulted in the Santy worm, and how 2.0.16 fixes a similar "critical" issue with highlighting again ... I found this article below to be interesting while explaining that topic as well.

Quote:

Some web hosts are banning the use of phpBB in the wake of persistent security problems for the popular open source web forum program. The move follows renewed attacks on phpBB after a coding error was found in the same file targeted by a December worm attack that defaced thousands of phpBB sites. "It's been brought to our attention over recent weeks that some hosts are banning or dissuading the use of phpBB," said a message from the phpBB development team. "This is unfortunate for everyone and seems largely to be based on FUD (Ed. fear, uncertainty and doubt). While phpBB has and no doubt will continue to suffer from exploits (show me a piece of software that doesn't!) we have consistently addressed such issues very quickly."

Web hosts are less impressed. One host that has banned the software said phpBB had been its biggest security headache. "Since January, phpBB has been through at least 4, and maybe 5 revisions due to serious vulnerabilities, often found/reported wthin HOURS of a version release," HostPC said in its customer advisory.

The latest security incident involves a security flaw in a file called viewtopic.php, which was attacked by the Santy worm. UPDATE: Our initial report suggested the security hole in phpBB 2.0.15 was the same flaw found in version 2.0.11 and targeted by the Santy worm. The latest flaw is actually in a different section of the viewtopic.php code, according to Ashley Pinner of the phpBB support team. A fix is included in a new update of phpBB, which has had persistent security problems in recent months. phpBB is among the web's most popular bulletin board programs, with more than 194,000 registered members of its user forum.

Posted by Rich Miller at July 8, 2005 11:40 AM
http://news.netcraft.com/archives/20...s_persist.html

Traill · July 29th, 2005, 5:02 PM

I've just updated my board to 2.0.17, hadn't done it before but just downloaded the "changed files" from phpbb and uploaded them, plus ran the update_to_latest.php and it's all fine! Definitely worth doing, the last thing I want is problems with my board just because I couldn't be bothered to upgrade it, so I'm happy

**Kayla** · October 25th, 2005, 1:21 PM

Due to a huge increase in phpBB worm activity during the past few days on our network, we have been forced to do another mass disablement of old versions of phpBB. This was done last night. Our abuse department is being flooded with complaints that our servers are spreading the Santy worm. The last time we ran our script to disable older phpBB installations, we did not go through all of the servers; this time we have done all of them. The problem has been too intense. Servers are being attacked and having many problems, even as I type this now.

You are required at this time to update your phpBB to the latest version.

http://www.phpbb.com/downloads.php

The disablement changes 1) the files to root ownership and 2) disallows the phpBB directory from being accessed. This is so that the hundreds and hundreds of phpBB installations that have not been modified or used (for years even), can be released from their current bait status.

We really had no choice in changing ownership, or many users would lift the permissions on the directory so it could be viewed again, and not cooperate with the upgrades. This is a very serious matter and cannot be ignored. It is especially difficult on our end to deal with and make decisions for. We don't want to force anyone to do a software upgrade, but in this case we really have no other way around these issues.

You will need to email support if you are actively using an outdated phpBB so that your permissions can be reverted back to your own.

We thank you immensely for your cooperation, patience and understanding in this.

**David** · November 2nd, 2005, 5:08 PM

2.0.18 has been released
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756

cnb10 · February 8th, 2006, 10:44 PM

Does this security threat also exist within the current postnuke mod of phpbb, ie, pnphpbb2 v1.2g. I want to know if it would be ok install of this with all related patches.

Craig

**wildrice** · March 4th, 2006, 3:04 AM

Iv got the newest version 2.0.19... must I still worry..??? I chomed several files aswell..I think I should be safe, dont ya think Kayla.?

**David** · March 5th, 2006, 12:59 AM

Quote:

Originally Posted by cnb10

Does this security threat also exist within the current postnuke mod of phpbb, ie, pnphpbb2 v1.2g. I want to know if it would be ok install of this with all related patches.

Craig

This is a question for the postnuke developers or the developers of the mod itself. However, nuke has enough exploits to deal with it seems.

**David** · March 5th, 2006, 12:59 AM

Quote:

Originally Posted by wildrice

Iv got the newest version 2.0.19... must I still worry..??? I chomed several files aswell..I think I should be safe, dont ya think Kayla.?

You worry too much as it is.

July 3rd, 2005, 8:31 PM	#1 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	Upgrade Required : phpBB 2.0.17 Forum Thread: Upgrade Required : phpBB 2.0.16 Discussion Thread: phpBB 2.0.16 Released Spammers can use outdated phpBB installs to send out their scams. It causes unnecessary mail problems and blacklisting issues. Most of you may be familiar with either of those problems, or both. Besides the spamming issues, there are other types of exploits that can allow outsiders to launch attacks against other servers, among other wrongdoings. This is all certainly negative and unfair for everyone on our servers. There are many, many outdated versions of phpBB across our network and they are being disabled. This is the thread regarding the latest version on the phpBB Forum Community http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011 If we can get everyone who uses phpBB at Surpass to upgrade to the latest version at least, it will be better than the point we are at now. At the present time there are scattered versions on all servers, some not even in use. Sometimes phpBB is installed just to test it out (like many other programs), then it sits in waiting on the server as spam bait. We hope this notice gets to everyone and gets the word out about this problem. If everyone who needs to use this program can keep it up to date, then we can continue to allow it on our servers despite the problems that it has a potential to cause. The key to preventing problems is education. That is why it is so important that we bring together our hosting community to our forum so that we can all easily read about current issues and ask any questions.

July 29th, 2005, 5:02 PM	#3 (permalink)
Traill Registered User Comfy Contributor Joined in May 2005 Lives in Durham, UK 105 posts Gave thanks: 1 Thanked 0 times	I've just updated my board to 2.0.17, hadn't done it before but just downloaded the "changed files" from phpbb and uploaded them, plus ran the update_to_latest.php and it's all fine! Definitely worth doing, the last thing I want is problems with my board just because I couldn't be bothered to upgrade it, so I'm happy __________________ Server: SH72 Website: Judge Jules Tracklistings Archive

February 8th, 2006, 10:44 PM	#6 (permalink)
cnb10 Registered User Fresh Surpasser Joined in Feb 2006 1 posts Gave thanks: 0 Thanked 0 times	question relative to postnuke Does this security threat also exist within the current postnuke mod of phpbb, ie, pnphpbb2 v1.2g. I want to know if it would be ok install of this with all related patches. Craig

March 4th, 2006, 3:04 AM	#7 (permalink)
wildrice Surpass Fan Super #1 Joined in Feb 2006 1,478 posts Gave thanks: 0 Thanked 0 times	Iv got the newest version 2.0.19... must I still worry..??? I chomed several files aswell..I think I should be safe, dont ya think Kayla.? __________________ Kayla has true class. Helpdesk submit a ticket

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

October 25th, 2005, 1:21 PM	#4 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	Due to a huge increase in phpBB worm activity during the past few days on our network, we have been forced to do another mass disablement of old versions of phpBB. This was done last night. Our abuse department is being flooded with complaints that our servers are spreading the Santy worm. The last time we ran our script to disable older phpBB installations, we did not go through all of the servers; this time we have done all of them. The problem has been too intense. Servers are being attacked and having many problems, even as I type this now. You are required at this time to update your phpBB to the latest version. http://www.phpbb.com/downloads.php The disablement changes 1) the files to root ownership and 2) disallows the phpBB directory from being accessed. This is so that the hundreds and hundreds of phpBB installations that have not been modified or used (for years even), can be released from their current bait status. We really had no choice in changing ownership, or many users would lift the permissions on the directory so it could be viewed again, and not cooperate with the upgrades. This is a very serious matter and cannot be ignored. It is especially difficult on our end to deal with and make decisions for. We don't want to force anyone to do a software upgrade, but in this case we really have no other way around these issues. You will need to email support if you are actively using an outdated phpBB so that your permissions can be reverted back to your own. We thank you immensely for your cooperation, patience and understanding in this.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)