Yes, it works nicely though. ;-)

Hi. I'm new to this board (this is my first post). Here's my question:

I'm running a phpbb2.0.11 board on XP SP2 using apache 2.0.52, php 5.0.3 and mysql 4.0.19. Each of the forums on the board is 'private', and I have three groups of users: group A is granted access to everything, group B is granted access only to some of the forums and group C is granted no special access to anything (it is used so that I can send emails to a subset of the users).

I recently moved a particular user from group A to group B and that user has now told me that she is in fact able to view all of the forums even though she is in the restricted group (she remains in group C as well but that group has no special access rights to anything).

She says that the way she figured out to gain access to the forums she is not supposed to have rights to read was 'simple'.

I'm assuming she did not get a username and password from any user in the other group. Any ideas about what a 'simple' way would be for a user to gain access to a private phpbb forum when she is not in a group that has been granted access and has not seperately been granted access as a user? (I checked the DB tables and in fact she is only in the restricted group and no permissions ahve been changed.)

I know it is possible to crack this stuff through brute strength (particularly since we do not require difficult passwords), but since she said what she did was 'simple' I am guessing that is not what she did.

Any ideas?

Aha!

The user in question has told me exactly what she did to gain entrance: she simply clicked on the link that appears in one of the old topic reply notifications she received a while ago (which she received when she had access to the forum in question) and that takes her right to the topic where she can scroll up or down. But that strikes me as odd, since when I try to sign in as a user without access to a certain forum and then click to a link to a post in that forum, I am properly told there is no such post or topic.

Here's an idea: is it possible that she is only seeing a cached picture of the page she had looked at before (when she originally had received the topic reply notification and clicked the link)? I can't seem to reproduce that with my browser (firefox), but is that a possibility?

Here's the step by step:

1. She has access to Forum X and gets a reply notification email.

2. She clicks the link in the email and looks at the page. Would the browser typically save that in cache??

3. I move her out of the group that has access to Forum X.

4. She goes to that old reply notification email and clicks the link on it.

5. The browser shows her the cached page rather than trying to actually get a new page (since presumably if it tried to get a new page she would get a 'no topiic exists' message).

Like I said, i can't reproduce this on my opwn browser, but does it makes sense and is it the most likely explanation? How does a browser know when to get a new page with a particular address versus when to show a cached page?

Hmm, I would have to say that both partners are right. I love phpBB with a passion as well as vB. To me, both are easy to hackup and customize it as I have before. You can check out my forums at www.mdevonline.com and see for yourself. My forums isent just a phpBB. Its integrated into phpnuke but thats standard right? So get this, I made it more then just a phpBB, my News Mod for nuke itself is running from the phpBB forums and displaying jus like a regular news on teh front page. Neat hu? Yea, you can do the same and it is ratherly easier then vb I think, but again Its easy for me to do both. But if your getting into it and just kinda curious about it? Dani is correct.[img]http://daniweb.com/techtalkforums/techtalk-images/smilies/fiyellow/icon_mrgreen.gif[/img]

Its all in what you want.

phpbb is free. Thats a big plus.

vb costs money. ($80 a year to lease...)

Yea, ones going to be a little more secure because its updated a little faster.

The only way to have a secure forum is once you have it up and running on a webserver, remove the ethernet cable from the back of the machine and leave it alone

I am a web host, and we had a lot of end user phpbb boards get hacked last month. Not only did the board get hacked but every .php and .html file in the users webspace was defaced. If you keeep the script up to date and have backups it should be ok.

I have phpbb 2.0.11 is it? I get confused.
I got the q8 hacker thingy.. I supose it has to do with the attachment files I don't know.
But didn't do any damage.
I guess it is part of being on the web.. some people don't have anything better to do... sad ain't it?

I like PHPBB but the help is lacking since of course it is free.
VB is ok too, but try to get an answer to a specific question is kind of hard... everyone is so wishy washy as far as giving a direct answer..... nothing more frustrating that searching for hours.. finally posting a message and being told.
You can find a hack here GIVE ADDRESS and it is another forum you have to search all over again! ARRRG.... granted I spend a lot of time looking before I ask, but enough is enough! LOL!

2.0.11 is the corrent version, but by now you may already be somewhat protected at the server level, but at any rate that is the latest patched version.

Yea, 2.0.11 is the latest and greatest....

2.0.11 is the stable and best, but 3.0.0 is supposed to be better.