Archive for February, 2009

Talkin bout Area51

Posted by battye in Development with the tags , , , , on February 25th, 2009

No! I’m not talking about military bases or U.S. conspiracy theories, but rather phpBB’s very own Area51 –

Area51 is phpBB’s official testing ground, and as stated on the site it is the home of “bleeding edge developmental code”. The site was established in 2001 – the brainchild of psoTFX, the former leader of the development team, in order to have a local installation of phpBB that they could test in a real life situation. With the main forum obviously out of the question, can be used so that the developers can see how the latest code is holding up with many concurrent users online, without fear of users becoming annoyed if certain features aren’t working (which I will touch on in a minute).

Area51 boasts the unique feat of hardly changing at all and always changing at the same time.

Read the rest of this entry »

Tutorial: Injection Vulnerability Prevention

Posted by TerraFrost in Development, Modifications with the tags , , on February 12th, 2009

Some websites have claimed this article discloses an “injection vulnerability” in phpBB. It does not. What this post actually does is provide an overview of vulnerabilities commonly introduced by third-party modifications to phpBB and discusses what the authors of said modifications need to do to protect their code against attack.

Despite being among the easiest of vulnerabilities to understand, injection vulnerabilities are also among the most common. For most users, they will simply manifest themselves as an error when select characters are used, but a sufficiently adept user may be able to take that error and exploit it to their advantage.

To prevent this from happening, one needs to properly sanitize all user definable variables. Unfortunately, the way one properly sanitizes a variable depends on where it’s being used. In this post, we’ll discuss how to sanitize variables for use in SQL queries and in HTML, in general and in phpBB3, and we’ll discuss what can happen if proper sanitization isn’t used.

Read the rest of this entry »