phpBB Weekly

phpBB 3.0.RC6, probably the most hyped release candidate of phpBB so far (and definitely the one release that we’ve talked about more than any other on our show), was just released this afternoon. (Or, if you’re in Europe/Asia, it was released last night.) What’s so significant about this particular release is that it arguably includes the most changes/new features to the phpBB3 codebase since UTF-8 support arrived in Beta3, back last November. (David covered many of these features on episode #033, and we also discussed a few of these on today’s episode #034, which will be released really soon.)

It was also revealed that the phpBB3 codebase security audit was done by independent software security company SektionEins. Their website indicates that they specialize in security audits for web applications, in particular for those based on PHP. Their site also lists a number of stats about Internet attacks, and on episode #034 we talked a bit about some common vulnerabilities that web applications suffer. One of the reasons that phpBB has a bad reputation for security is because many hosts are using much much older versions of phpBB2 that have serious vulnerabilities in them. The phpBB teams over the years have been very good at getting new, fixed releases out in a timely matter, and the majority of the fault for these exploits are forum admins who don’t keep phpBB2 up-to-date, but nevertheless, the phpBB teams have been unfairly blamed many times for these. By having a codebase audit prior to Olympus going gold, phpBB3 will hopefully have a better lifetime than phpBB2 did.

However, Acyd Burn mentioned that the security audit turned up zero SQL injection vulnerabilities and zero Command Code Execution (CCE) vulnerabilities, which is excellent news and really exemplifies some of phpBB3’s superiority to phpBB2 when it comes to security. Considering that there’s over 200,000 lines of code in phpBB3, this is an excellent accomplishment and props for that goes to the Development Team. However, thanks to the security audit, RC-6 does bring along fixes for a few XSS vulnerabilities, a new password hashing mechanism, and a number of other new goodies.

Anyway, be sure that you run, don’t walk, over to the downloads page and download the RC-6 updater! The countdown to phpBB3 is getting nearer, can you feel the excitement?

UPDATE: Acyd Burn has announced that due to some problems with the RC-6 package, a new RC-7 package will be released later today. The teams will be providing auto-update packages for both RC-6 to RC-7 and RC-5 to RC-7. You probably should hold off until the new release this afternoon.
On phpBB Weekly #035, David will probably talk a bit about what happened to necessitate the RC-7 release.

If you are experiencing problems on your board with the RC-6/RC-7 update, read this article which details many problems with MODs and Styles due to the update.