Hosts Ban phpBB As Security Issues Persist

Some web hosts are banning the use of phpBB in the wake of persistent security problems for the popular open source web forum program. The move follows renewed attacks on phpBB after a coding error was found in the same file targeted by a December worm attack that defaced thousands of phpBB sites.

"It's been brought to our attention over recent weeks that some hosts are banning or dissuading the use of phpBB," said a message from the phpBB development team. "This is unfortunate for everyone and seems largely to be based on FUD (Ed. fear, uncertainty and doubt). While phpBB has and no doubt will continue to suffer from exploits (show me a piece of software that doesn't!) we have consistently addressed such issues very quickly."

Web hosts are less impressed. One host that has banned the software said phpBB had been its biggest security headache. "Since January, phpBB has been through at least 4, and maybe 5 revisions due to serious vulnerabilities, often found/reported wthin HOURS of a version release," HostPC said in its customer advisory.

The latest security incident involves a security flaw in a file called viewtopic.php, which was attacked by the Santy worm. UPDATE: Our initial report suggested the security hole in phpBB 2.0.15 was the same flaw found in version 2.0.11 and targeted by the Santy worm. The latest flaw is actually in a different section of the viewtopic.php code, according to Ashley Pinner of the phpBB support team. A fix is included in a new update of phpBB, which has had persistent security problems in recent months. phpBB is among the web's most popular bulletin board programs, with more than 194,000 registered members of its user forum.