Tag: Security

Why you need to upgrade phpBB to version 3.2

On: By: Mark

A lot of forum owners are procrastinators. The current version of phpBB (as of this writing) is phpBB 3.2.3. If you are not on the phpBB 3.2 you should upgrade. Why?

Because in two months the group that manages the PHP programming language (which phpBB is written in) will stop supporting versions of PHP 5 with security fixes. This means after January 2019 you may be vulnerable to new exploits found in PHP 5, used by phpBB 3.1 and earlier versions.

It’s understandable why you might not want to upgrade your forum from your current version, generally phpBB 3.0 or 3.1. As most of my work is upgrading forums I see all the time why forum owners drag their feet. Reasons include:

  • Their forum has lots of mods and custom changes made over the years. With modifications not supported in phpBB 3.1 and higher, they have to figure out how to move forward. Many modifications do not have the equivalent available as extensions. So they either have to give up the functionality of the mod (which often makes forum users unhappy) or just procrastinate as long as possible. Procrastination is the easier approach.
  • Their forum has a style with lots of changes. Perhaps a logo has been integrated that is nonstandard, or they’ve made major changes to the templates and the stylesheets. Lots of styles haven’t been migrated to phpBB 3.2 either, so this is another issue they will have to deal with if they upgrade.
  • They know just enough PHP to be dangerous, so they’ve tweaked the code here and there to do special things. That would go away with an upgrade, or at least the cost of making changes to the base code gets more expensive. It’s heavily discouraged and makes upgrading or updating phpBB a pain, because you often have to reapply these changes. Custom changes can be done by writing a custom extension, but it’s a complicated thing to do. You need to be a very experienced PHP programmer to write an extension, and heavily study phpBB’s architecture and coding requirements.
  • Having someone like me upgrade your forum costs money.

Now that push has come to shove though, unless you are willing to bear the security risks, it’s time to finally make the upgrade. phpBB 3.1 users are not off the hook either, because this version of phpBB does not support PHP 7, the latest major version of PHP. I helped a client migrate their forum just yesterday to PHP 7. PHP 7 was installed on their new server. Certain things stopped working or created PHP notices.

Note that versions of PHP before 5.6 are already not patched for security issues. So if you are using an earlier version of PHP like PHP 5.2 (popular for phpBB 3.0 and 2.0) or PHP 5.3, 5.4 or 5.5 you are already at risk. You really can’t upgrade to PHP 7.0 as you will experience errors. Some phpBB 2.0 and 3.0 users have issues running PHP 5.6.

So now may be the time to take the plunge. Of course I can help you in this process. You may want to read my upgrade page. In addition to running the latest version of phpBB, I think you will find that once you are there it is worth the hassle. The extensions architecture of PHP 3.1 and higher is very nice, almost as nice as using WordPress plugins. The themes are responsive, so they look great on mobile devices. In addition, PHP 7 is about 50% faster than PHP 5, which is another great incentive to upgrade, particularly if you have performance issues with your forum.

You can send me a query if you want to discuss upgrading your forum.

ModSecurity can cause problems with phpBB

On: By: Mark

If you are noticing weird errors on your phpBB forum which otherwise has been running well for years, ModSecurity may be causing them. I’ve been noticing a lot of issues with phpBB forums lately that have ModSecurity as the root cause.

What is ModSecurity?

It’s a web application firewall, wholly open source. As its name implies, it’s job is to tighten up the security of a web server. Web servers are prominent targets for hackers, of course. ModSecurity was originally written as a module for the Apache web server. It has lots of functions of course but its main job is to prevent hackers from damaging web servers and the websites that reside on them. Started in 2002 for Apache, it now serves all principal web servers on the web, including NGINX and IIS.

How does ModSecurity cause problems with phpBB?

It appears that ModSecurity and phpBB don’t get along very well. These problems may be occurring because the web host added it or turned it on for you and didn’t tell you. ModSecurity can generate various application errors causing the behavior of phpBB to change. In one recent example, when a client tried to click on the Administration Control Panel link, he was redirected to his website homepage instead. Disabling ModSecurity solved his problem.

Here are some other symptoms caused by ModSecurity intercepting and redirecting web traffic that my clients experienced recently:

  • In phpBB 3.2, the Viglink and share forum statistics screen come up in the Administration Control Panel by default after you update to that version. There are checkboxes that allow you to uncheck these. In this case unchecking these and submitting the form generated an unfriendly error message: “Unused” and reported an internal error. This made it impossible to get to the General tab and do things like purge the cache.
  • A forum would not come up at all. Only a white screen appeared. Disabling ModSecurity solved the problem. Note: other issues can cause this, including malware or syntax errors introduced into your forum’s phpBB code.
  • In phpBB’s /cache/production folder, files are created by phpBB with an “autoload_” prefix. These were getting deleted outside of phpBB, triggering PHP warnings. Turning off ModSecurity caused the problem to go away (after purging the cache).

How do I know if I am using ModSecurity?

Administration Control Panel > PHP Information. If your web server is Apache, search for “apache2handler” and look at the loaded modules. Scan for “mod_security” or “mod_security2”. If it’s there, it’s enabled. If you can view your web server error log, scan it for “mod_security”. If you find it, it’s enabled. You can also ask your web host if they have it enabled for your site.

Is it safe to disable ModSecurity?

Perhaps not but you may not be able to have anyone access your forum unless you disable it. Most likely ModSecurity’s rules are not optimally written to accommodate phpBB forums.

Can I disable ModSecurity just inside my forum and leave it enabled on the rest of my website?

Perhaps. Try adding this to the top or bottom your forum’s .htaccess file. If the problem goes away, you are done! (The IIS web server does not use the .htaccess file.)

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

How do I turn off ModSecurity for my domain?

Look in your web host control panel. If there is a security section, there may be a feature there to enable or disable ModSecurity. Disable it if you can find it. You may have to ask your web host.