Posted by Marc in Development, Security, Support on May 5th, 2016
As some of you might have noticed, a security issue has recently been uncovered in ImageMagick, a widely used software suite for displaying and modifying images. You can read about the full details of the exploit on news outlets like Ars Technica (article on ImageMagick exploit) and the ImageMagick community forum.
It has come to our attention that admins are unsure whether this affects their phpBB installation and/or what they might have to do to secure their installation.
First and foremost let me make it clear that, based on the currently available information, phpBB is not vulnerable to the exploits.
phpBB already verifies the supplied image types and therefore already contains one of the described mitigations for the ImageMagick vulnerabilities.
phpBB supports using ImageMagick for creating thumbnails only. Other parts of phpBB, such as image or general attachment uploads, are not using ImageMagick at all. The described exploits rely on directly passing uploads to ImageMagick and/or passing “clear text” image formats such as SVG or MVG to it. phpBB itself does not support these image types for creating thumbnails and therefore will not pass them onto ImageMagick. Additionally, supported image types are checked for integrity before passing it onto ImageMagick for thumbnail creation. Passing malicious files as described and disguising them as other image types is therefore not possible.
We hope this will help with clearing up any confusion or uncertainty on this subject.
12 Comments
Posted by Noxwizard in Support on August 23rd, 2011
FTP is the most common means of moving files to and from a server. When the FTP specification was written, certain convenience features were recommended to client implementers. This was done through four data type definitions. With these definitions, the clients can perform transformations of the data to ease the burden of performing these transformations yourself every time you upload a file.
The data types are: ASCII, EBCDIC, Image, and Local. The first two are different character sets that the local file can be converted to during transmission to the other server. Image is now commonly known as “binary mode” and it transfers the data without changing it in any way. Local allows hosts to specify custom byte sizes for storage and transmission. For this article, I will be focusing on ASCII and Image and what can go wrong if you choose the incorrect transfer mode.
Read the rest of this entry »
70 Comments
Posted by battye in Support with the tags checklist, Community, setting up a forum on August 25th, 2009
This blog post outlines the key points you must consider if you are going to set up a forum. It is mainly directed to people who have not set up a forum before, but it might also be helpful to existing forum owners who are thinking about creating more in the future.
Feel free to print this page out and work through the list. Read the rest of this entry »
20 Comments
Posted by Kellanved in Development, Moderating, Modifications, Styles, Support with the tags 3.0.6, CAPTCHAs, MODs, Styles on June 27th, 2009
You probably have already heard about it: the next release will include a host of new features. This post will present one of them in detail, showing the idea and the impact on users, style and MOD authors.
Most admins are experiencing problems with spam, which is taking away lots of energy that would be better spent on the enjoyable parts of administrating a community. We tried our best in the arms race against spambot programmers, but have to admit failure with our previous approach. Since 3.0.x became as popular as it is, any default visual confirmation gets broken almost instantly. After long discussion in and outside the teams, we came to the conclusion that diversity is the answer: every board admin should be able to use a non-default anti-bot measure without it being a pain. Read the rest of this entry »
1 Comment »
Posted by wGEric in Support with the tags Support, support request template on June 25th, 2009
In the Support forums hundreds of support posts are made daily. People who have a problem, or just a question they’d like to ask. It’s hard to answer all of those questions. Sometimes we need more information in order to get a better view of the problem to solve it.
Read the rest of this entry »
6 Comments
Posted by Noxwizard in Support on May 22nd, 2009
In the past few weeks, a Trojan (Troj/JSRedir-R) has become the most prevalent malicious infection to ever hit websites. According to Sophos, this Trojan accounts for 42% of all infected web pages in the past two weeks. This Trojan typically targets PHP sites, and is not caused by a vulnerability in the scripts you run. Once the Trojan is on your local computer, it searches for FTP credentials and then uses them to modify the files on your website. FTP clients that store their passwords in plaintext, like FileZilla, are particularly vulnerable to this.
Read the rest of this entry »
17 Comments
Posted by battye in Development, Moderating, Modifications, Styles, Support with the tags phpbb blog on April 14th, 2009
I touched on this in an article at my own site last month, but it is worth mentioning here as well.
This blog currently covers a wide range of topics relating to how to run your forum (How many forums should I create?, How Many Moderators Do You Really Need?, etc), to technical aspects about phpBB and MODs (Injection Vulnerabilities, Templating just got easier, etc) and even general posts about the phpBB project itself (Talkin bout Area51, Londonvasion Re-Cap – phpBB Ascraeus, etc). We would like some feedback from the community to get an idea about the sort of things you would like to read in the blog posts.
Our questions to you is: are there any topics in particular you would like to see posted in the blog? Are there other categories of articles (besides the ones mentioned above) which we need to focus on more?
Please give us your feedback by replying in the comments box below.
Thanks!
37 Comments
Posted by wGEric in Support with the tags Community, Contributing, Support on April 6th, 2009
Because phpBB is a very large product, it needs to be supported. People who have a problem/question and they come here to find an answer or solution. Have you ever looked at the support forums? If so, you might have seen that there are many many topics a day and just a few people answering the topics, which is great of course.
Read the rest of this entry »
13 Comments
Posted by battye in Moderating, Support with the tags administration, forums on March 18th, 2009
I touched briefly on this in the very first blog post here at phpBB.com. If you’ve just set up phpBB, how many forums should you create?
As I said in that blog post, the key is to start small and increase the number of forums you have over time. There is nothing worse than going to a forum which takes a minute to load, takes twice that long to scroll to the bottom of the page and has dozens upon dozens of inactive forums with either a handful of posts or none at all. Even though there might be a couple of very active forums amongst it all, many people will still think your forum is inactive. Read the rest of this entry »
18 Comments
Posted by iWisdom in Support on January 26th, 2009
Not giving private support has been a policy on phpBB.com since I joined over three years ago. There is, in fact, a rule against contacting team members for private support:
Support is offered only via these forums and #phpbb on irc.freenode.net. Do not contact team members privately (via any method) to ask for support. Users found to be contacting team members asking for support will be warned.
While this may sound a little stern (it is by far the most warned offense here at phpBB.com), the reasoning for this is actually quite true.
Read the rest of this entry »
22 Comments