Bug 188410

Summary: Review Request: phpBB
Product: [Fedora] Fedora Reporter: Peter Gordon <peter>
Component: Package ReviewAssignee: Thorsten Leemhuis (ignored mailbox) <bugzilla-sink>
Status: CLOSED WONTFIX QA Contact: Fedora Package Reviews List <fedora-package-review>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: ivazqueznet, wtogami, yaneti
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-10 02:35:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Gordon 2006-04-09 09:41:53 UTC 
Spec Name or Url: http://www.thecodergeek.com/downloads/fedora/phpBB.spec
SRPM Name or Url: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-1.src.rpm

Description:
phpBB is a highly popular web-based forum ("bulletin board") system using PHP
and a database backend such as PostgreSQL, MySQL, ODBC, and others. (Without
one of these, phpBB will not function.) It has many advanced features such as
versatile users/groups permissions management, theoretically limitless forums,
categories, and posts, a private messaging system among users, a highly
customizable style, and a simple but extensive administrative control panel.


With this package, rpmlint complains a little. Two points:
Firstly, it gives an error that the scripts do not have shebangs. Since these are PHP scripts meant to be run through mod_php (provided by the php package), this seems safe to ignore.
  E: phpBB script-without-shellbang /var/www/phpBB2/admin/admin_forums.php
  E: phpBB script-without-shellbang /var/www/phpBB2/language/lang_english/lang_main.php
  [...etc...]


Secondly, it complains that there is an htaccess file in the distribution:
  E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess
This is where phpBB stores it cache data, and this .htaccess file explicitly disallows any direct requests for those files. Thus, this seems reasonable to ignore, also.

I've tested this on FC4, and mock builds to test it on FC5 and Devel are currently running on my workstation (though it seems like there should be no problem).

Thanks.
Comment 1 Ville Skyttä 2006-04-09 09:52:25 UTC 
(In reply to comment #0)
> Firstly, it gives an error that the scripts do not have shebangs. Since these 
> are PHP scripts meant to be run through mod_php

Do they need to be executable then?  See rpmlint -I script-without-shellbang
Comment 2 Peter Gordon 2006-04-09 10:11:14 UTC 
Hi, Ville.

I forgot that the scripts themselves only need be readable in this case. I've
uploaded a second release with this fixed, and I also included the cache's
.htaccess limits in the global httpd phpBB config file.

Source RPM: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-2.src.rpm
Spec:  http://www.thecodergeek.com/downloads/fedora/phpBB.spec

Thanks for your time.
Comment 3 Ignacio Vazquez-Abrams 2006-04-09 11:42:47 UTC 
Has this code been audited for security? Personally I don't want Extras
supplying a known-bad piece of software in an easy-to-install (and therefore
break) form.
Comment 4 Jason Tibbitts 2006-04-09 17:02:28 UTC 
phpBB is pretty well maintained and has undergone quite a bit of scrutiny. 
Obviously we shouldn't add known-broken packages to Extras, but I don't think
it's the submitter's job to do a full security audit on every package.  At some
point we have to trust upstream to do their job.

However, because of its securityh-sensitive status, this is certainly one of
those packages that should have a backup maintainer (or two) so that any
necessary updates are released as quickly as possible.
Comment 5 Yanko Kaneti 2006-04-09 17:26:30 UTC 
To me phpBB is like the sendmail of the php forum thingies (with less features
than some of the ofthers).
and fedora still ships sendmail...
Comment 6 Peter Gordon 2006-04-09 18:01:17 UTC 
Well, even though phpBB does seem to contain many vulnerabilities, upstream is
very good about releasing fixes or patches for these; and it is my intent to
keep up to date with upstream releases including these security fixes and/or
patch it myself if needed.

I'd be happy to take on this package with a couple of other maintainers, as
needed. (To be honest, I think that's probably a good idea.)

Thanks.
Comment 7 Warren Togami 2006-04-09 19:44:28 UTC 
> Secondly, it complains that there is an htaccess file in the distribution:
>   E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess
> This is where phpBB stores it cache data, and this .htaccess file explicitly
> disallows any direct requests for those files. Thus, this seems reasonable 
> ignore, also.

By default httpd.conf doesn't allow htaccess overrides, so the effectiveness of
this .htaccess is not great.  I am pretty sure this directory doesn't need to be
in a web accessible directory at all.  You could patch the default directory so
that it uses someplace like /var/cache/phpbb instead (not sure, I haven't tested
this)?

About PHPBB security, it is actively maintained, but has a long history of
repeated security holes.  I've seen many Linux servers become compromised by
script kiddies due to past PHPBB holes.  If PHPBB gets into Fedora, the
maintainer(s) *MUST* be vigilant in updating the package quickly when upstream
makes a new release.
Comment 8 Warren Togami 2006-04-09 20:00:06 UTC 
Another option would be to put those explicit disallows into a
/etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or
worse idea than my last comment.
Comment 9 Peter Gordon 2006-04-10 01:56:02 UTC 
(In reply to comment #8)
> Another option would be to put those explicit disallows into a
> /etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or
> worse idea than my last comment.

That's one thing I changed in release 2. :)
Comment 10 Peter Gordon 2006-04-10 02:35:22 UTC 
Actually, I've been discussing this with a couple of my friends and based on
phpBB's track record of vulnerabilities, it may be for the best *not* to package
it in Extras until it can be properly audited and whatnot. I'll close this as
WONTFIX. Have a nice evening, all.