Red Hat Bugzilla – Bug 188410
Review Request: phpBB
Last modified: 2007-11-30 17:11:30 EST
Spec Name or Url: http://www.thecodergeek.com/downloads/fedora/phpBB.spec
SRPM Name or Url: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-1.src.rpm
phpBB is a highly popular web-based forum ("bulletin board") system using PHP
and a database backend such as PostgreSQL, MySQL, ODBC, and others. (Without
one of these, phpBB will not function.) It has many advanced features such as
versatile users/groups permissions management, theoretically limitless forums,
categories, and posts, a private messaging system among users, a highly
customizable style, and a simple but extensive administrative control panel.
With this package, rpmlint complains a little. Two points:
Firstly, it gives an error that the scripts do not have shebangs. Since these are PHP scripts meant to be run through mod_php (provided by the php package), this seems safe to ignore.
E: phpBB script-without-shellbang /var/www/phpBB2/admin/admin_forums.php
E: phpBB script-without-shellbang /var/www/phpBB2/language/lang_english/lang_main.php
Secondly, it complains that there is an htaccess file in the distribution:
E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess
This is where phpBB stores it cache data, and this .htaccess file explicitly disallows any direct requests for those files. Thus, this seems reasonable to ignore, also.
I've tested this on FC4, and mock builds to test it on FC5 and Devel are currently running on my workstation (though it seems like there should be no problem).
(In reply to comment #0)
> Firstly, it gives an error that the scripts do not have shebangs. Since these
> are PHP scripts meant to be run through mod_php
Do they need to be executable then? See rpmlint -I script-without-shellbang
I forgot that the scripts themselves only need be readable in this case. I've
uploaded a second release with this fixed, and I also included the cache's
.htaccess limits in the global httpd phpBB config file.
Source RPM: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-2.src.rpm
Thanks for your time.
Has this code been audited for security? Personally I don't want Extras
supplying a known-bad piece of software in an easy-to-install (and therefore
phpBB is pretty well maintained and has undergone quite a bit of scrutiny.
Obviously we shouldn't add known-broken packages to Extras, but I don't think
it's the submitter's job to do a full security audit on every package. At some
point we have to trust upstream to do their job.
However, because of its securityh-sensitive status, this is certainly one of
those packages that should have a backup maintainer (or two) so that any
necessary updates are released as quickly as possible.
To me phpBB is like the sendmail of the php forum thingies (with less features
than some of the ofthers).
and fedora still ships sendmail...
Well, even though phpBB does seem to contain many vulnerabilities, upstream is
very good about releasing fixes or patches for these; and it is my intent to
keep up to date with upstream releases including these security fixes and/or
patch it myself if needed.
I'd be happy to take on this package with a couple of other maintainers, as
needed. (To be honest, I think that's probably a good idea.)
> Secondly, it complains that there is an htaccess file in the distribution:
> E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess
> This is where phpBB stores it cache data, and this .htaccess file explicitly
> disallows any direct requests for those files. Thus, this seems reasonable
> ignore, also.
By default httpd.conf doesn't allow htaccess overrides, so the effectiveness of
this .htaccess is not great. I am pretty sure this directory doesn't need to be
in a web accessible directory at all. You could patch the default directory so
that it uses someplace like /var/cache/phpbb instead (not sure, I haven't tested
About PHPBB security, it is actively maintained, but has a long history of
repeated security holes. I've seen many Linux servers become compromised by
script kiddies due to past PHPBB holes. If PHPBB gets into Fedora, the
maintainer(s) *MUST* be vigilant in updating the package quickly when upstream
makes a new release.
Another option would be to put those explicit disallows into a
/etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or
worse idea than my last comment.
(In reply to comment #8)
> Another option would be to put those explicit disallows into a
> /etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or
> worse idea than my last comment.
That's one thing I changed in release 2. :)
Actually, I've been discussing this with a couple of my friends and based on
phpBB's track record of vulnerabilities, it may be for the best *not* to package
it in Extras until it can be properly audited and whatnot. I'll close this as
WONTFIX. Have a nice evening, all.