• Analyzing Popular CMSs: Are phpBB Users at Risk?

    Continuing with our series of articles on CMS security, this time we will be focusing on phpBB. We have previously profiled Joomla, WordPress, and Drupal.

    I can already hear CMS purists howling that phpBB is not a CMS. In a way they’re right, but in other ways it is a CMS.  phpBB is without a doubt one of the most popular “Internet Forum” software packages available. Its ease of installation, various custom skins, and large installation base make it a very attractive choice for anyone who wishes to set up a community discussion board on the Internet. phpBB has had a few million downloads at the very least and enjoys a very active user group.

    phpBB is popular among webmasters who want to set up Internet forums easily. Users of phpBB also benefit from a high level of customization. Another big plus for this CMS. Support for this CMS is awesome, in fact, phpBB has flash based video tutorials to help new users get started! Additionally, the phpBB developer community is very security conscious.

    Next, we will take a close look at phpBB to understand security issues with active installations seen publicly on the Internet.

    The aim of this experiment:

    • To determine the number of phpBB sites using older versions of the CMS package (and hence vulnerable to attacks).
    • Identify the associated scripts phpBB users install in addition to core phpBB functionality.
    • Identify the vulnerabilities of using the associated scripts.

    Experiment methodology:

    An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed phpBB. Understandably, not all 100,000 websites would actually be using phpBB. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by phpBB or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 1st and February 3rd, 2010.

    Distribution of phpBB versions:

    In 84.16% of sites running on phpBB a version number of the CMS package could be identified. We found the following distribution of phpBB versions in the websites examined (where versions of installations could be determined).

    We present the most interesting results:


    This limited experiment shows that like Drupal, phpBB installations seem to be relatively safe from the most prevalent forms of malware. However, the fact remains that there are quite a few vulnerable installations of phpBB which can fall prey to malicious hackers. This trend is echoed by our analysis of WordPress . It will be interesting to probe further and understand why the number of “infected” sites is not higher when there are vulnerable installations in the wild.

    Till next time.

    • I do agree with all of the concepts you have offered for your post. They are very convincing and will certainly work. Nonetheless, the posts are very short for beginners. May you please lengthen them a bit from next time? Thanks for the post.

      You can certainly see your expertise in the work you write. The arena hopes for more passionate writers such as you who are not afraid to mention how they believe. All the time follow your heart. “We may pass violets looking for roses. We may pass contentment looking for victory.” by Bern Williams.

      Posted by ErafKedeErors on August 31st