Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Regular Coder Crake's Avatar
    Join Date
    Dec 2004
    Location
    Loose, Maidstone, KENT
    Posts
    577
    Thanks
    0
    Thanked 3 Times in 3 Posts

    asnyone know abnout phpbb?

    everyone phpbb.com has been hacked bye a group of hackers. phpbb are trying to find out who bye anyone news then contact them!
    SteveO

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,084
    Thanks
    11
    Thanked 100 Times in 98 Posts
    http://news.netcraft.com/archives/20...ocked_out.html


    I read this this morning but jeez I only just stopped laughing and got back on my chair

    why is it funny ? (at least to me) , well phpBB team put out a lot of misleading information about the true cause of thier recent vunerability which potentially compromised thousands of domains , they blamed someone else , e.g. PHP.

    irony bites , and its gonna sting for a while.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    So are you saying it wasn't an awstats vulnerability?
    Omnis mico antequam dominus Spookster!

  • #4
    cfc
    cfc is offline
    Regular Coder
    Join Date
    Dec 2004
    Location
    Keswick, Ontario
    Posts
    251
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I think he might have been referring to this: (I got the reference from that article)

    http://news.netcraft.com/archives/20...passwords.html

    While the problem on that occasion was technically a PHP exploit (assuming the article isn't based entirely on misinformation spread by phpBB), it was IMO really phpBB's responsibility to code for security in the first place.

  • #5
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    Ahh I see. That is funny how they just blame php.
    Omnis mico antequam dominus Spookster!

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Doesn't really inspire one to want to use phpBB really ... that's the second major vulnerability in as many months ...

    I think I'm gonna write my own - if I do it without databases or GET information, I'll avoid most of the major weak points, right?
    Last edited by brothercake; 02-10-2005 at 01:31 AM.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #7
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    Well then how will you store the information? Flat files ala Ubb? Knowing you it'd be some sort of xml file cluster or something.
    I was just thinking that perhaps I'd write one soon. I've done it before, I remember I wrote a pretty good one back when I used ASP. It had a good following from these forums but I never released it, it worked on flat files and database. I think someone needs to topple vb off their throne.

    [edit:] But I really see no point to avoiding database and Get. At least using Get you can secure that from sql injection and stuff.
    Omnis mico antequam dominus Spookster!

  • #8
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,084
    Thanks
    11
    Thanked 100 Times in 98 Posts
    Quote Originally Posted by brothercake
    if I do it without databases or GET information, I'll avoid most of the major weak points, right?
    No , you can write insecure code with or without a database , its not the database or protocol thats insecure, or in general PHP (or any other serverside language), though vunerabilites will appear from time to time.

    Its down to simple secure coding practices , we all write daft code from time to time , collaberative efforts usually produce more secure code since your peers are working with it and hopefully spot major issues.

    As seen with phpBB thats not always bulletproof.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #9
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,084
    Thanks
    11
    Thanked 100 Times in 98 Posts
    + I know I have pointed you this way before ... but perhaps look again at FUDforum , its written by one of the major PHP developers , & whilst unusual & uses a mixture of DB & flatfiles I really like it.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #10
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    XML was my plan yeah ... 1 file per thread, plus a bunch of index and admin files. I've already written the scripting for a single comments board, so if I build it up and release it over time, it will be continually phase tested, so most problems will turn up that way.

    I know security is never guaranteed with anything, but not being a popular board gives a statistical advantage - less likely to be attacked if fewer people are using the software - at first, anyway

    Customising phpBB to be compliant and semantic XHTML took soooo much time, I'm just not prepared to go through all that again, unless it's a really interesting project, which making a new one would be. And I could make sure from the start that the output is robust and proper.

    Sorry this is a bit OT .. maybe it needs splitting into a different thread if there's more to say ..?
    Last edited by brothercake; 02-11-2005 at 12:41 PM.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #11
    Senior Coder
    Join Date
    Jun 2002
    Location
    The Netherlands, Baarn, Ut.
    Posts
    4,252
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Interesting subject matter

    ... if there's more to say...
    Er... yeah!
    For instance, how is processing flat files hold up against using a database, performance-wise?
    I'm accustomed, due to my mainframe background, to flat file processing beating any other form of storage speed-wise with its hands tied behind its back, but I have no experience with PHP flat file processing on a server environment.
    Regards,
    Ronald.
    ronaldvanderwijden.com

  • #12
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's probably slower, but not hugely - I should think it mostly depends on the size of the files. If each thread is a single XML file, then most threads are not gonna be more than 30 or 40K - except for really long ones. I generally go by 100K being the limit for XML or textfile parsing in PHP, beyond which it gets too slow.

    But I'm only speaking from subjective observation here - I couldn't say with any authority .. I wouldn't mind knowing myself
    Last edited by brothercake; 02-12-2005 at 03:44 AM.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #13
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    Well the only sure fire way is to test it and find out.
    Omnis mico antequam dominus Spookster!

  • #14
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,084
    Thanks
    11
    Thanked 100 Times in 98 Posts
    you are spot on about the filesize issue , parsing larger files (100 KB+) in php is not really that efficient (as opposed to PERL or standard unix tools etc).

    The major issue with flatfile `anythings` is searching them or querying them , thats where the database comes into its own , e.g you want to display the last $num posts by $user in this $forum , or change the display order quickly , thats where a relational DB comes in handy (yes you can keep XML files with that data and query them but it is too slow (even loading the file for searching is probably slower than the DB query)).

    So the ideal system would store posts (either individually or per thread) as flatfiles (XHTML is good since then you save the parsing on redisplay) but administer them in a DB for faster reference.

    FUD sort of does this , BUT it stores the messages in 1 big flatfile , which is not as inefficient as it sounds since for reading the it uses fseek etc to read only the data it requires.
    This solves the issue with fopen()or including() say 20 XML files for display .. since fopen is the slow bit of the process the FUD system works with 1 file pointer only.
    Of course 1 big file could be a nightmare to administer for topic edits and pruning etc.

    I (as you have probably worked out ) realy like the general FUD architecture.
    However it does have many issues and is an absolute pain in the butt to try and hack , the permissions system is great but far too complex & the whole permissions/authentication is mind bogglingly complex both in design and implementation.

    Brothercake , if you ever feel like a collaberative project .. best of both worlds etc drop me a line.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #15
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by firepages
    Brothercake , if you ever feel like a collaberative project .. best of both worlds etc drop me a line.
    Oh yes indeedy I've mentally commited myself to doing this now ... it's time to rock and/or roll

    Lemme research and play with some ideas for a bit, and I'll be in touch
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •