Security problem of phpBB in simpleboard 1.0.3 stable?

diekmann · 10.09.2004, 22:56

Hello,

by hoster told me i must delete my "simpleboard forum 1.0.3 stable", because phpBB have a big security problem and simpleboard have (is) the same one. The Hoster gives no details because he wants not help hackers...

Is that right or have the simpleboard nothing todo with phpBB?
Witch board can i use witch has no security problems and can import the existing postings?

Thank you very much
Christian Diekmann

rober · 11.09.2004, 08:28

Quote:

Originally Posted by diekmann

Hello,

by hoster told me i must delete my "simpleboard forum 1.0.3 stable", because phpBB have a big security problem and simpleboard have (is) the same one. The Hoster gives no details because he wants not help hackers...

Is that right or have the simpleboard nothing todo with phpBB?
Witch board can i use witch has no security problems and can import the existing postings?

Thank you very much
Christian Diekmann

I have asked our local security expert and the author(s) of the simpleboard component to view this post. I to am curious to find out more about this issue. Please be patient until they have had time to review the post and answer.

Thanks...

diekmann · 11.09.2004, 10:39

now there are many phpBB and simpleboards closed by the hoster confident-hosting.de. The Hoster says that another hosters (only in germany ?) do the same!

Christian Diekmann

jdg · 11.09.2004, 11:37

All:
Simpleboard has got absolutely nothing to do with phpBB and the Simpleboard code base isn't the same as the phpBB code base

The code base of Simpleboard has been written from the ground up and as far as we know, there are no security issues left in the Stable releases.

If phpBB has got a security issue, there's absolutely no way to assume Simpleboard has the same security hole. In fact, I can only imagine that phpBB would have a security hole in it's user handling. Simpleboard leaves that Mambo. If phpBB has got a security hole in other parts of the code: 99% of the code is custom coded for the Simpleboard project. There are some parts that are inspired by the way phpBB has coded things, but there's nothing in Simpleboard that has been copied 1:1 from phpBB to Simpleboard. Every bit of code that resembles phpBB code has been rewritten to accomodate Simpleboard.

in short: If phpBB has got a security hole there is very, very little chance Simpleboard has got it too. If this would be the case, it would be due to mere unfortune that TSMF has coded a part similarly to the way the phpBB group has coded a similar part without either knowing...

It is true that Simpleboard resembles phpBB, but that's only from the outside. There are not many different ways to make a forum look and we at TSMF feel that the phpBB group did a good job layout wise... we didn't copy it, we were influenced/inspired by it.

Now, I chalenge everybody; especially the German hoster, to come up with the security hole in Simpleboard. If this hoster doesn't want to make it public, I can fully understand because it'll open up Pandorra's box to hackers, but they can send me a private email to: jan AT jigsnet DOT com.

If it is true; we'll provide a patch or a new version. If it isn't true; something else must be going on here. I'm off the opinion that any hoster could warn their customers not to use some piece of software, but then at least file a security incident report at the creators site... nothing easier than that... but bluntly forbidding it without doing anything about it???
That's not what you're paying for... (to say the least).

Hope this answers the questions, removes any doubts and makes clear the intentions of the TSMF group to solve this if it turns out there is a security issue.

Sincerely,
Jan de Graaff.
Simpleboard Lead Developer,
The Two Shoes Mambo Factory

Some facts on security in Simpleboard:
- SB leaves user registration to Mambo, which is considered secure by lots and lots of major players in the field (phpBB does its own user registration);
- There's no way any Simpleboard page can be called without calling the secured Mambo user handling (phpBB does this itself);
- Simpleboard doesn't use session cookies for user authentication and user privilege tracking. It uses the Mambo database to track this and therefor, there are no cookies to be hijacked by third parties rendering people privileges they shouldn't have (phpBB does use session cookies for user authentication and privilege tracking);
- It is not possible to access any administrator functions by mere guessing the URL's to use. All these functions are secured with Mambo's user authentication system
- and there's more!

diekmann · 11.09.2004, 22:30

Hello,

i have new informations. It is sadly no problem of simpleboard, but from mambo! It seems so that mambo have the same problems like phpBB. I know now the steps to reproduce a overstressing of mySQL by using mambo or phpBB. The steps to do this are very simple and it needs not more than 30-60 seconds to block or breake mySQL for some time.
I want not post more details, because some peaple can have the idea to test the steps to reproduce the problem...

This is also the metter wy some german hosters will forbid phpBB (and perhaps mambo) because some people knows the steps to block mySQL and then is the server and with hime many domains in a bad situation...

Best regards
Christian Diekmann

rober · 12.09.2004, 05:41

Quote:

Originally Posted by Jan de Graaff

Simpleboard has got absolutely nothing to do with phpBB and the Simpleboard code base isn't the same as the phpBB code base

The code base of Simpleboard has been written from the ground up and as far as we know, there are no security issues left in the Stable releases.

Rock on... I knew it couldn't be!

and thank you very much for responding to my request Jan, I sincerely appreciate your input and time.

rober · 12.09.2004, 05:59

Quote:

Originally Posted by kochp

You probably are refering to this issue:

http://seclists.org/lists/bugtraq/2004/Mar/0147.html

It has been fixed after 4.5 (1.0.3), so probably its time for you to upgrade to
4.5 (1.0.9) now......

Peter

Christian, I must agree with Peter.

Please upgrade your Mambo CMS to the latest version and see what happens with your hosting provider... AND, if someway they find a security hole, please ask them to report it and provide details on what they found.

I am certain the developers would be very interested in hearing what if anything your hosting providers have to say.

Kindest regards,

jascha · 12.09.2004, 06:01

It all seems odd since the last published phpBB issue was this one in July which has been dealt with as has any similar issues with Mambo as previously mentioned. Sounds like the hosting company is just incompetent. Any sort of thing you put on server could be chum for 'hackers'. Be it Mambo, phpBB, etc. There is no such thing as 'hacker-proof' so the practice of removal of things since they have previously had issues would be a big deal. Since you would lack a web server (Apache), a DB (mySQL), and DNS (BIND). So the hosting company would put themselves out of business. . .

-Jascha

rober · 12.09.2004, 06:11

Quote:

Originally Posted by jascha

It all seems odd since the last published phpBB issue was this one in July which has been dealt with as has any similar issues with Mambo as previously mentioned. Sounds like the hosting company is just incompetent. Any sort of thing you put on server could be chum for 'hackers'. Be it Mambo, phpBB, etc. There is no such thing as 'hacker-proof' so the practice of removal of things since they have previously had issues would be a big deal. Since you would lack a web server (Apache), a DB (mySQL), and DNS (BIND). So the hosting company would put themselves out of business. . .

-Jascha

Cha ching...... (One point for Jascha and Mambo, no points for security holes!)
Well put! Thanks for replying Jascha

diekmann · 12.09.2004, 10:05

Quote:

It has been fixed after 4.5 (1.0.3), so probably its time for you to upgrade to
4.5 (1.0.9) now......

I use allready Version 4.5 Stable-1.0.9 (Help/Credits)...

please contact me by my stored eMail-Adress. Than i will give you information to reproduce the Problem.

Thank you
Christian