Jump to content

Phpbb Security Questions


Striver

Recommended Posts

I recently installed the latest version of phpbb (2.0.22). I know I can't make it bullet proof but I want to come as close as possible. One thing I noticed is that the cache and avatar directories and their content are chmod 777. That gives me the heeby-jeebies because that is a rather dangerous permission combination. Is this just the way this particular program needs things set up? Can it, or should it be changed?

 

And most of all...what is your best tip for phpbb security that I may not know? :clapping:

 

in case you are curious the forum is here... http://www.verchi.com/forum002/

Link to comment
Share on other sites

For users to upload their own avatars you can't get around the 777 permission settings. I would gather the cache directory requires it as well.

 

phpBB is prone to attacks being one of the most popular freeware forum software packages available. All I can say is monitor when they release patches and apply them as soon as possible.

 

An alternative free forum software would be Simple Machines Forum (SMF) which hasn't had as much attention as phpBB but it's easier to upgrade when patches are released.

Link to comment
Share on other sites

I set up an SMF first to give it a try...there are good reasons that phpbb is more popular :clapping:

 

I am actually running the cache at 755 and haven't had any problems. The file ownership of the files in the cache is set up a bit different so they aren't as easy to chmod but I have read you can set them to 755 as well. I was just hoping there might be a phpbb guru lurking around here somewhere :clapping:

 

and speaking of users uploading their own avatars...I tried to replace mine here but it wouldn't take the new one...it just deleted the old one. I had to link to the pic on my site.

 

Lee

Link to comment
Share on other sites

Something you can do is leave the directory permissions at 755 and ask the help desk to change ownership of it to "nobody" so that the default server user can write to it.

 

I have read some about that option but some experts seem to think it opens more security holes than it closes...and of course I don't know enough about it yet to know who is right :clapping:

 

When I was doing a lot of PERL programming I noticed that password protecting a directory like this didn't seem to lock out local programs. Not sure exactly whether that would fix this and I would need to set up another server to test it to...hmmm...maybe time to fire up this old linux box I have sitting here...ack!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...