As the title already says, this blog post will describe how the MOD Team validates modifications and what happens to them before they come out at the other end of the queue.
Blog
Posts Tagged ‘MODs’
How (not) to use request_var
Note: This post is targeted at MOD authors and contains many technical details.
Introduction
Amongst the great security features that phpBB 3.0 provides is the function used for processing user input, request_var. This function was designed to make it easy to securely retrieve user inputted data. It is one of the most important security functions in a system that retrieves external data as it can (with caveats that will be elaborated upon) single-handedly stop XSS and SQL injection attacks dead in their tracks
The reason we have created this blog post is to give more information to modification developers on how to properly explain how this works and why you should use it.
3.0.6 CAPTCHA plugins and you
You probably have already heard about it: the next release will include a host of new features. This post will present one of them in detail, showing the idea and the impact on users, style and MOD authors.
Most admins are experiencing problems with spam, which is taking away lots of energy that would be better spent on the enjoyable parts of administrating a community. We tried our best in the arms race against spambot programmers, but have to admit failure with our previous approach. Since 3.0.x became as popular as it is, any default visual confirmation gets broken almost instantly. After long discussion in and outside the teams, we came to the conclusion that diversity is the answer: every board admin should be able to use a non-default anti-bot measure without it being a pain. Read the rest of this entry »
Guest Post: Starting your own MOD by A_O_C
MOD requests are common with each version of phpBB. Every user wants something different to make their board unique. The problem, however, is that there are more users than MOD Authors. However, with an understanding of PHP and phpBB, you can create your own!
Fighting CSRF
Cross-Site-Request-Forgery, short CSRF, is a type of vulnerabilities that gets more and more attention. The concept can be translated as “tricking the browser into automatically performing some action using the user’s privileges”. Let’s see what phpBB does about it.
CAPTCHAs in phpBB
This post no longer reflects the state of the art. See here .
CAPTCHAs – “Completely Automated Public Turing test to tell Computers and Humans Apart”s – are known as the foremost means to stop registrations by SPAM programs, so-called “Bots”. In phpBB, a visual confirmation CAPTCHA is used.
The key here is the “Completely Automated” part, meaning that the software – phpBB – creates the question and the correct answer without interaction by a user. This has the drawback that computers are usually able to find the answer as well, given time to adjust. This is an active field in research. In the end it is an arms race. A new CAPTCHA will usually buy a few months of peace, before the major Bot vendors adjust their products.
This article is about presenting some reasons behind our CAPTCHAs; it is not intended to be a case for or against CAPTCHAs in general or particular. It is not about other means to combat SPAM, but only about CAPTCHAs.
MOD author feedback, and how we handle it
The MOD team always gets a lot of questions, feedback and more from MOD authors. This is mostly after a persons MOD was denied for a certain reason, we change something, or just about one of the policies we have.
We get a lot of questions from them if we do anything with the feedback, or if we actually listen to it, I want to explain here how we handle this kind of feedback.