phpBB Security

december 26, 2004

Here are some good tips about phpBB security. phpbb is one of the best forum packages around: it is completely free, open source, has tons of built-in features, even more available as mods, and has a thriving community supporting the product. However, such ubiquity creates other challenges, particularly in terms of public scrutiny and hacking attempts. This recent thread gives an idea of what can happen if you don't keep your forum installation secure and up to date. But security is not just protecting your forum against specific hacks, but also reducing or eliminating other menaces - not just to the software, but also the personal data and information contained within, as well as the integrity of your community and member list. Problems include email address harvesting, automated signups, dropping links, member list abuses and other such annoyances which take up valuable moderator and admin time. So, what are the most important steps you should be taking as a forum administrator when securing your installation? Here are a few ideas: 1. Installation security 1.1 Keeping informed The first important step to take is to make sure your installation is fully patched and up to date at all times. To do this, you need to subscribe to the appropriate phpbb mailing lists, as well as monitor the site as well as the phpbb Sourceforge page. Currently, although there is a "phpbb-announce" mailing list at Sourceforge, it is unused by the developers - which is very unfortunate. The current recommended way of getting notifications of new releases is to to use the "Monitoring" feature at Sourceforge. According to the site, the notification process is going to be improved in the near future - which will be a very good thing, as the current method is clearly insufficient. 1.2 Installing the updates The phpbb documentation is excellent in this regard, so there is very little to add. There are always three different versions available for each update - Full Version, Changed Files Only and a patch file. The names are self-explanatory, but make sure you fully read and understand the documentation before you go ahead. The patch file is the most powerful of the three, especially if you have a heavily-modified board, but you will need command-line access to your server as well as some knowledge of using Unix commands. The key to a successful update is documentation. When you modify your board, it is vital to document every change you make, however minor. That means, when it comes to update time, if you have to rebuild your board from scratch by reapplying the mods to the basic board, you will be able to do so much more easily. 2. Mods 2.1 Choosing the right mods Choosing mods from unreliable sources, or using untested or unverified mods can be dangerous: unless you are an expert in PHP you can't be sure of their reliability, security or even whether there are backdoors intentionally inserted by the mod developers. Unless you are sure of the source or you really know what you are doing, you should stick to the mods listed in the mod database - in particular, those mods which have been reviewed and approved by the phpbb security Team. Bear in mind that even approved mods might still contain security holes, and these are not patched within the main reease - so make sure you regularly check the database for new versions of the mods you use, and if possible, sign up to the mod developer's mailing list if they have one. 2.2 Don't over-modify Every mod you add to your basic installation, the more complex becomes the update process. So, along with choosing your mods carefully, only use mods that you need rather than adding everything including the kitchen sink. I should also mention style templates: usually, style templates don't pose a security risk in themselves (although there are a lot of pre-built templates which are of poor quality, with broken markup and incorrect image paths). However, the more templates you have, the longer it takes to do an update - it is a pain to manually alter a dozen template files with every update. Stick to the minimum number you feel is required for your board. 3. Modifications you can make There are some changes you can make to your phpbb installation to better secure it against attack by spambots, automated signups, etc. This is not a comprehensive list: 3.1 CAPTCHA image verification phpbb version 2.0.11 onwards uses the CAPTCHA image verification system which requires a new member to enter a set of letters and numbers from a generated image before being able to sign up. Switch it on in the Admin Control Panel under in the Configuration menu (thanks to androidtech for the reminder). If and only if you have a significant membership comprising the visually-disabled, then there are mods available to slightly alter the signup process enough to fool most bots. This will kill automated signups stone dead. You will still have the problem of manual spam signups, but we're getting to that... ;) 3.2 memberlist.php The standard phpbb installation includes a file called "memberlist.php" which (guess what!) provides a full list of the members of the board. By default, this is readable by all (not just members). The presence of this page is one of the big motivators for spam signups: the page is a great way for the unscrupulous to get a load of backlinks to their site(s) via the link in the member profile which is displayed on this page. Often, the signups will use names starting with exclamation marks so as to get on the first page of the list. Rather than modifying or hiding this page, I propose simply to get rid of it altogether. Once you have more than about 50 members, the page is unusable by real visitors - it is just too inefficient for finding information. On a busy board, it is a total waste of bandwidth, and only serves as spam-bait. What's more, your member list is precious information - why give it away to anyone? Your real users can still get at all the information they want for another user by viewing that member's profile via the link next to one of their posts. Of course, if anyone signs up and doesn't post, their profile is unlinked - so even if they have put a link to their site in their profile, it is not visible. Here's how to get rid of it simply: 1. Install the "User List" mod from the phpbb mod database. This will give the forum administrators a full member list within the admin control panel for easy maintenance. 2. Edit the template file overall_header.tpl and remove the link and image for the member list. 3. Delete memberlist.php from your server, burn all copies, ban it in robots.txt and if you are feeling so inclined, replace it with a spider trap. If for some unfathomable reason, you are getting referrals directly to your memberlist.php page from the SEs, then redirect it to a more appropriate page, or the forum index. 3.3 Basic settings The following modifications don't directly affect the real, direct security of the forum, but will help the admins as well as the users. # Disallow all HTML at all times. No exceptions, ever. # Disallow remote avatars. # Require user email address verification before being able to sign in. # Edit overall_footer.tpl and remove the version number (as suggested by webwit). Make sure, however, that you always fully respect the license requirements for the software by leaving at least the minumum required link to the phpbb site: it's a minuscule price to pay for the forum software and it is respectful to the developers. The version number will still display at the foot of the pages in the admin control panel. 3.4 Editing templates You should edit the style templates to reduce the information displayed by default when a user is not logged in to the system. You should make the following available only to those who are logged in: 1. Members currently online 2. Newest member 3. Search 4. All member avatars and signatures 5. All member profiles On my board, the only header links are for the FAQ, Register and Login. Using some of the SEO mods not only greatly improve usability (as well as spiderability), they can help in other ways too. On new boards (ie. boards which have not been indexed yet), then you should look at using mod_rewrite to change the default file names. Why? Want a good list of phpbb forums on which to try out your 7337 haxor skills? Do a Google search for "viewtopic.php". 4. Conclusion This list is primarily aimed at phpbb users, but much of it applies to users of other boards too. The basic rules are: keep things updated, keep thigs simple, put barriers to spamming and hacking attempts and reduce the level of interest for your board to anyone other than your intended audience. As I said, these are simply a few ideas. What would you add to the list?