phpBB Forum Software

Hello,Within the last week, it has come to our attention that phpBB.com was unsuccessfully attacked by a malicious party attempting to brute-force account login credentials. This attack was facilitated by a query for "powered by phpbb" on a search ... [More] engine. Though this attack was not successful as phpBB includes several features to ensure it is not vulnerable to such attacks, users should take measures to ensure that their forums are properly protected.Attack anatomyTo perform the attack, the attacker registers an account on the forum and tests that the memberlist is available for them to obtain lists of users. The attacker then uses an automated process to login and download thousands of user names from the memberlist, the attacker here grabbed a little over 5000 user names. After collecting this data the attacker attempts to brute-force account credentials by repeatedly sending login requests to the forum. As the attack does not attempt to solve the invalid login attempts CAPTCHA, it is limited to the amount of attempts specified in the "Maximum number of login attempts" configuration option.SignsVisible signs of this attack include:Users being required to enter a CAPTCHA after an initial login attempt.Increased server load.Repeated POST requests to ucp.php?mode=login from the same IP address.PreventionphpBB provides several tools that enable users to mitigate these efforts.To prevent successful brute-forcing, an administrator may ensure that "Maximum number of login attempts" (accessible via the Administration Control Panel under "Security settings") to a small number (the default of 3), ensuring that a CAPTCHA will be required if an excessive number of failed login attempts occur.Furthermore, an administrator may wish to prevent Newly Registered Users from viewing the memberlist. To do this, ensure that the Newly Registered Users group is enabled (accessible via "User registration settings"; ensure that the "New member post limit" is greater than 0), then navigate to Permissions -> User roles -> "Newly registered user" -> Profile -> set "Can view profiles, memberlist and online list" to Never.Additionally, this attack may be mitigated by proper password selection. Ensure that your password (and the passwords of your users) contain letters and numbers and are not common words, phrases, combinations (password, 1234, etc.). Requirements for password complexity for your forum may be set on the "User registration settings" page of the Administration Control Panel.While it should again be stressed that this attack was not successful, administrators should take the above measures to ensure the safety of their forum and their users.If you have any questions regarding these implementation of these processes, please create a new topic in the Support Forum. [Less]

After seven years of working on the Development Team, four of which were in the lead position, we regret to announce that Meik Sievertsen (Acyd Burn) has stepped down from his post.Meik joined the phpBB Development Team in February of 2003, then ... [More] under the leadership of Paul S. Owen. When Paul moved on to pursue other endeavors in September of 2005, Meik stepped up to fill his shoes. Since that time, primary development of phpBB 3.0 was completed and we are now well on our way to working on the 7th maintenance release. Under Meik's leadership of development, phpBB has not only maintained its status among internet software, but gone above and beyond to improve upon past experiences. Meik will continue contributing to the phpBB project in the role of Server Manager, a position established to oversee proper configuration and maintenance of the systems powering the various phpBB.com websites.The position of Development Lead has been picked up by Nils Adermann (naderman). Nils joined the Development Team at the end of 2005 to assist with search and authentication plugins. He played a key role in phpBB3's beta phase, speeding up development after a long period of limited activity. Most recently, he has been involved with planning the development of phpBB4. Nils was also the primary organiser and an active voice at last year's Developer Meeting in Köln.Please join us in thanking Meik for his contributions to the project and the tremendous amount of dedication he has shown over the years. Likewise, we welcome Nils to the hot seat and wish him continued success at conquering our present and future challenges.- The phpBB TeamPlease use the [Discuss] A Change in Development Leadership topic to discuss this announcement. [Less]

AutoMOD 1.0.0-RC3 ReleasedThe Modifications Team is proud to announce the immediate availability of the third release candidate for AutoMOD, our automated MOD installation tool. There have been a large number of bug fixes, a feature addition and some ... [More] large code changes. Refer to the changelog for more details.About AutoMODAutoMOD is a tool for installing MODs in an automated manner. It performs the file edits for you. Because it is still in RC stage it's not fully stable yet. Therefore we suggest you not to use it on a live board yet. However, we encourage you to use it for testing purposes if you are a MOD author.Getting startedFind more information and a download link on the:AutoMOD pageThe source is available from the code forge under the GNU GPL version 2TranslationsOn the download page there are also translations available. If you would like to translate AutoMOD to your language, send a PM to A_Jelly_Doughnut. [Less]

What is a Junior Validator? Junior Validators assist the MOD Team with the validation of MODs. They help the MOD Team validators with pre-validation and testing. Pre-validation involves running a check on MODs newly submitted to the MOD Database ... [More] queue using the MOD Pre-Validation tool (MPV) and setting a status on the MOD accordingly. Testing is the major role of a Junior [...] [Less]

There is going to be an unofficial phpBB meet up on March 13, 2010 in Washington, DC. The specific location has yet to be determined so RSVP and give your input on what you would like to do. This will be a great chance to meet other phpBB users and ... [More] have a great time. Although there probably won't be any formal presentations there will be lots of opportunities to learn more about phpBB.You can view more information and RSVP here: viewtopic.php?f=105&t=1768275If you would like to organize your own event, please read this topic: viewtopic.php?f=105&t=1237515 [Less]

The Modifications Team is proud to announce the the second Beta of the MODX Generator. Description The MODX Generator is a new tool we've been working on that will allow the automatic generation of MODX documents. It will take an original phpBB ... [More] folder and compare it to a copy with applied modifications. The resulting diff is then converted to the MODX format. Copy, edit and inline actions are automatically generated. The generated MODX file can be imported into the MODX Creator for editing and later installed automatically with AutoMOD. Getting it More information, a screencast and the dowload link can be found on the: MODX Generator page The source is as always available from the code forge under the GNU GPL version 2 Support & discussion If you need help or want to share your thoughts, make sure to check out the topic in MOD Writers Discussion.ChangelogChanges since 1.0.0-b1Improved the README file.config.php is renamed to generator_config.php to avoid confusion with other config files.Some more file names added to the default ignore list.Ignore version is a parameter to the script, so it's removed from the config.Parses meta tags from other generators and puts them in the generated MODX file.Changed the generator meta tag.There are now default settings in generator_config.php for the script parameters.Contextual finds, except for in-line finds.Renamed -f --outfile to -m --modxfile.Added -r, --root = Creates a root directory containing the files missing in old.Added -f, --force = Replaces the root directory if it exists.Added exit values so calling apps knows if it was successful.Removed the third parameter to check_missing(), $args are global here.old and new are now main parameters to the app so -o and -n are not needed. old needs to be first.-o are still needed if there is a default setting that needs to be overridden. [Less]

The Modifications Team is proud to announce the release of yet another tool, the MODX Generator. This is the first Beta, the "Lazy Edition".DescriptionThe MODX Generator is a new tool we've been working on that will allow the automatic generation of ... [More] MODX documents. It will take an original phpBB folder and compare it to a copy with applied modifications. The resulting diff is then converted to the MODX format. Copy, edit and inline actions are automatically generated.The generated MODX file can be imported into the MODX Creator for editing and later installed automatically with AutoMOD.Getting itMore information, a screencast and the dowload link can be found on the:MODX Generator pageThe source is as always available from the code forge under the GNU GPL version 2Support & discussionIf you need help or want to share your thoughts, make sure to check out the topic in MOD Writers Discussion. [Less]

phpBB's servers are hosted and managed by the Oregon State University Open Source Lab ("OSUOSL"). The OSUOSL provides these services to many open source projects and communities, through donations provided by friends like you, in order to accelerate ... [More] the growth of open source around the world. We encourage you to help support our project by making a donation to the OSUOSL.The non-profit Open Source Lab is able to provide its services to the global open source community thanks to the generous support of its industry partners and individual donors. This year, the Open Source Lab marks its sixth anniversary. Please help celebrate by supporting the OSUOSL through a donation. Can you give $6 to help commemorate six great years of open source hosting? Gifts of $25 or more qualify for membership in the Friends of the OSL program. All donations are handled by the Oregon State University Foundation, a 501(c)(3) non-profit.Donate now! [Less]

Hello,We are very pleased to announce the availability of the phpBB "Fast and Furrious" 3.0.6 package. This release fixes numerous bugs, introduces some major features, as well as improves stability and performance. Furthermore, the internal updater ... [More] has been updated to detect and solve most conflicts, resulting in a reduction of necessary manual interaction by administrators.Please note that we urge you to update. phpBB 3.0.6 fixes bugs being quite important for a smooth operation of your forums. With this release our support team will only give support for phpBB 3.0.6, updates to phpBB 3.0.6 and conversions to phpBB 3.0.6. Submissions to our trackers for older versions will not be accepted, please make sure you update/upgrade before you submit a bug report.If you use a different language pack than the one provided with the download packages you may find already updated language packs for your language within our downloads section.For a complete list of changes with attributed ticket numbers, please consult our comprehensive changelog. The list below is only a selection of the most important changes in phpBB 3.0.6.A list of major new features implemented in phpBB 3.0.6Better captcha options and backported 3.2 captcha plugins:Classic and GD CAPTCHAreCaptcha (based on API from recaptcha.net by Mike Crawford and Ben Maurer)Q&A CAPTCHA3D Wave (by Robert "Xore" Hetzler)Introduced new ACM (Cache) plugins. (Please consult our support forums for help if you need to use one of the new ACM plugins)null (to disable caching completely)memcacheAPCXCacheeAcceleratorATOM FeedsBare-bones Quick Reply editor in viewtopicUsers can report PMs to moderators which are then visible in a new MCP moduleAbility to copy permissions from one forum to several other forums.Send anonymous statistical information to phpBB on installation and update (optional)A non-comprehensive list of minor feature additions to phpBB 3.0.6Add language selection to the registration terms page. (Patch by leviatan21)New groups option to excempt group leaders from group permissions (allows leading groups having NEVER permissions).New "Newly Registered Users" group for assigning permissions to newly registered users. They will be removed from this group once they reach a defineable amount of posts.Ability to define if the "Newly Registered Users" group will be assigned as the default group to newly registered users.Add new option to disable avatars board-wide. (Patch by cYbercOsmOnauT and nickvergessen)Add unapproved topic icon for moderators on forum list.Ability to define minimum number of characters for posts/pms.Detect if a post has been altered by someone else while editing.Add unread posts quick search option.Add option to disable avatar uploads from remote locations.Ability to delete warnings and keep warnings permanently.Ability to empty a user's outbox from the user ACP quick tools.Ability to search ACP/MCP logs.Parse email text files with the template engine.Added new functionality to inactive users module:Ability to set users per page.Ability to sort by posts/number of reminders/last reminded date.Show number of posts and ability to search posts.Show number of reminders sent to user.Show date of last reminder sent to user.Display version check on ACP main page.Ability to control the display of custom profile fields on viewtopic.Fallback options for missing language files. (Patch by EXreaction)Separate PM Reply and PM Reply to all in prosilver.Place debug notices during captcha rendering in the error log - useful for debugging output already started errors.Ability to define constant PHPBB_USE_BOARD_URL_PATH to use board url for images/avatars/ranks/imageset (useful for bridges and applications using phpBB).Style authors are now able to define the default submit button used for form submission on ENTER keypress on forms using more than one submit button. Prosilver uses this for the posting page(s) and registration screen.Ability to specify amount of time user is able to delete his last post in topic.A non-comprehensive list of smaller changes implemented in phpBB 3.0.6Change the data format of the default file ACM to be more secure from tampering and have better performance.Template engine now permits variable includes to a limited extent.Quote BBCode no longer requires the f_reply permission.Banning/unbanning users now generates an entry in their user notes.Smilies no longer require the f_bbcode permission.Hide avatar when avatar-type is not allowed.INCLUDEPHP paths are now relative to $phpbb_root_path."Post details" links with image in MCP.PM history now only shows PMs of users you currently reply to.Show quote button for own PMs in PM history.Add pagination for icons and smilies in the ACP and smilies in the smiley popup.Changed minimum requirement for Firebird DBMS from 2.0+ to 2.1+.Unapproved topics can no longer be replied to.Allow three-digit hex notation in Color BBcode.Simplified login_box() and redirection after login. S_LOGIN_ACTION can now be used on every page.Resize oversized topic icons.Banned IPs are now sorted.phpBB updater now skips sole whitespace/tab changes while computing differences. This reduces the chance of conflicts tremendously.phpBB updater now solves common conflicts on its own. This further reduces the chance of conflicts.Database updater now supports checking for existing/missing indexes.A list of important bugfixes since phpBB 3.0.5Show error in the ACP when template folder is not readable.Correctly apply the can change vote permission again. Regression introduced in r9470.Remove data from friend/foe table when deleting user.Fix dynamic config update routine error if firebird is usedFix saving custom profile fields in ACP if Oracle is used.Make view_log() more resilient to corrupt serialized data.Fix Oracle database backup and restore.Update attachments table when deleting user and retaining his posts.Correctly detect files in subfolders when viewing cached template files.Do not throw an error when PDO is a shared module and not loaded preventing SQLite from being loaded.Fix censoring of unicode words.Do not remove recipients when loading private message draft.Fix database updater and db tools to support multiple column changes/additions/removals with SQLite.Posting smilies in view more smilies screen now works again in IE. (Patch by leviatan21)Add ability to prune users who never logged in.Fail gracefully if store folder is not writable during update.Fix error with disapproval of topics having several queued posts only.Preserve newlines in template files.Be less strict with FTP daemons when getting directory filelists.Fix set_custom_template for database-stored styles.Do not send private message back to sender if sender is in the same group the private message was sent to.Min/max characters per posts no longer affects poll options.Do not try to create thumbnails for images we cannot open properly.Apply locale-independent basename() to attachment filenames. New function added: utf8_basename(). (Patch by ocean=Yohsuke)Adjust build_url() to not prepend $phpbb_root_path if path returned from redirect() is an URL. This fixes redirect issues with some installations and bridges.Fix general error in registration, caused by an undefined $config variable in validate_referer(). (Patch by wjvriend)Correctly extract column default value when exporting PostgreSQL tables..Allow updater to work correctly with PHP filename extensions other than ".php".Update search index if only post subject changed.Prevent style switcher from blocking the tab key.Fix email problems on servers with PHP installations not accepting RFC-compliant subject string passed to the mail()-function.Only embed cron.php if there is no cron lock present to reduce overhead. (Patch by TerryE)Send activation email when activating user from user settings.Correctly display underlined links placed in last line in viewtopic. (Patch by primehalo)Only check whether forum image exists if forum image is specified.Fixed database updater for changes to columns having default value in MSSQL (adding/dropping constraints).A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it.Minimum RequirementsphpBB3 has a few requirements which must be met before you are able to install and use it.A webserver or web hosting account running on any major Operating System with support for PHPA SQL database system, one of:MySQL 3.23 or above (MySQLi supported)PostgreSQL 7.3+SQLite 2.8.2+Firebird 2.1+MS SQL Server 2000 or above (directly or via ODBC)OraclePHP 4.3.3+ (>=4.3.3, >4.4.x, >5.x.x, >6.0-dev (compatible)) with support for the database you intend to use.getimagesize() function need to be enabledThe optional presence of the following modules within PHP will provide access to additional features, but they are not required.zlib Compression supportRemote FTP supportXML supportImagemagick supportGD SupportThe presence of each of these optional modules will be checked during the installation process.SecuritySecurity issues found should be reported to our security tracker in the usual way.Available packagesIf you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.With this release, there are five packages available.Full Package:Contains entire phpBB3 source and english language files.Automatic Update Package:Update package for the automatic updater, containing the changes from previous release to this release.Changed Files Only:Contains only those files changed from previous versions of phpBB3. Please note this archive contains changed files for each previous release.Patch Files:Contains patch compatible patches from previous versions of phpBB3.Code Changes Package:Package contains changes to the following sections: Language changes, prosilver style changes and subsilver2 style changes.Select whichever package is most suitable for you. As a tiny guide we recommend the following methods based on the requirements:For a new installation you should use the Full PackageFor updates of boards without modifications you can basically use the Automatic Update Package (guided update) or the Changed Files Only package (manual update).For updates of boards with modifications you should use the Automatic Update Package. If you are confident with patch files and patching you can use the Patch Files Package.Style Authors and Translators may use the Code Changes Package to update their styles or language packs directly.International Support Teams may use the Patch Package in conjunction with the Code Changes to better support users having problems with conflicts or specific code sections.If you are a hoster/provider, you may want to use the Patch Files Package to update all of your client installations.Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!.Download LocationsYou can of course find this download available on our downloads page.Our release archive provides all packages we build. If you do not find the desired package you may want to have a look at the release archive.Download/DocumentationphpBB DownloadsphpBB Projects page @ ohlohphpBB3 DocumentationphpBB3 support forumphpBB3 bug trackerphpBB Code ForgephpBB Code WikiHave fun with the release,the phpBB Team [Less]

A very common question about phpBB is how to display recents posts or topics on a separate page, such as a website homepage. It can be very handy to do this, as it allows visitors to your website a chance to quickly see recent activity. This blog post details how displaying a list of recent posts [...]