phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (34.6 MB)

Episode Duration: 37:47
On This Episode: Douglas Bell (Fountain of Apples) and Micheal Cottingham (Techie-Micheal)

On this shorter episode, we clean up from the deliciousness of last week and get back to “normal.” Douglas and Micheal take a look back at a number of the April Fool’s pranks from the previous week (see links below) from phpBB communities and other websites.

UMIL 1.0 RC-2 was recently released by the MOD Team, and we briefly recap UMIL and what it does, but don’t get into many details about the new RC without David’s expertise on the subject.

Finally, Micheal discusses a recurring issue of people claiming that phpBB3 has vulnerabilities and exploits that do not exist (like this recent example). We discuss a bit about the ramifications of these and the best way that phpBB, other security firms, and web hosts can respond to these. See also this phpBB.com blog post and this discussion topic.

April Fools Links Mentioned on the Show:
Community April Fools Jokes
Deck 15–DO NOT ENTER!
New Tech “Products” for April 1st
Google’s Gmail Autopilot
Woopra’s Webcam Enablement Feature
UC San Diego’s Acceptances April Fools

Our ongoing Poll Question of the Week is “What should be featured on the next episode of BBGourmet?” Vote in the poll on the sidebar to the right. Poll ends on Saturday, April 11.

The MOD of the Week is Save full drafts by asinshesq, and the Style of the Week is SpringFlowers by BillStur Styles.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (62.6 MB)

Episode Duration: 1:08:20
On This Episode: Douglas Bell (Fountain of Apples) and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

We have done it! Our one-hundredth episode of phpBB Weekly, a significant milestone for any podcast. There may be tens or hundreds of thousands of podcasts out there, but only some of them make it to this milestone, particularly for a podcast that we never thought would make it this far ourselves.

Unfortunately, despite the high demand from our listeners, we were unable to book a guest to join us on this episode. But we had someone almost as good! Our new temporary co-host, Micheal Cottingham, joined us in his new role for this first time on this show, and Douglas and he chatted a bit about security. We discuss a number of the topics from the StarTrekGuide Security Class forum (including an important one for EVERYONE to read about protecting your passwords), and we also go over some common injection vulnerabilities that MOD authors and all PHP developers need to keep an eye out for. And if you think you know all of the injections by heart, why not try the “Find the Injection” games over on the Security Class forum?

We also take a look at a recent blog post about Area51 (the phpBB development site, not the secret military base) and discuss a bit about its past role during Olympus development and its likely role during Ascraeus development.

Our last poll question was “What’s your favorite web browser?” There were 6 votes (55%) for “Firefox!”, 3 votes (27%) for “Safari!”, 1 vote (9%) for “Internet Explorer,” and 1 vote (9%) for “I seem to have an inability to pick a web browser and stick with it.” This week’s poll will be “What’s the best April Fool’s prank to pull on your users?” The poll will open up later this week and run until March 28; plus there will be an “Other” option for you to submit your own suggestions!

The MOD of the Week is User Reminder by lefty74, and the Style of the Week is AutumnsColor by BillStur Styles.

phpBB 3.0.RC6, probably the most hyped release candidate of phpBB so far (and definitely the one release that we’ve talked about more than any other on our show), was just released this afternoon. (Or, if you’re in Europe/Asia, it was released last night.) What’s so significant about this particular release is that it arguably includes the most changes/new features to the phpBB3 codebase since UTF-8 support arrived in Beta3, back last November. (David covered many of these features on episode #033, and we also discussed a few of these on today’s episode #034, which will be released really soon.)

It was also revealed that the phpBB3 codebase security audit was done by independent software security company SektionEins. Their website indicates that they specialize in security audits for web applications, in particular for those based on PHP. Their site also lists a number of stats about Internet attacks, and on episode #034 we talked a bit about some common vulnerabilities that web applications suffer. One of the reasons that phpBB has a bad reputation for security is because many hosts are using much much older versions of phpBB2 that have serious vulnerabilities in them. The phpBB teams over the years have been very good at getting new, fixed releases out in a timely matter, and the majority of the fault for these exploits are forum admins who don’t keep phpBB2 up-to-date, but nevertheless, the phpBB teams have been unfairly blamed many times for these. By having a codebase audit prior to Olympus going gold, phpBB3 will hopefully have a better lifetime than phpBB2 did.

However, Acyd Burn mentioned that the security audit turned up zero SQL injection vulnerabilities and zero Command Code Execution (CCE) vulnerabilities, which is excellent news and really exemplifies some of phpBB3′s superiority to phpBB2 when it comes to security. Considering that there’s over 200,000 lines of code in phpBB3, this is an excellent accomplishment and props for that goes to the Development Team. However, thanks to the security audit, RC-6 does bring along fixes for a few XSS vulnerabilities, a new password hashing mechanism, and a number of other new goodies.

Anyway, be sure that you run, don’t walk, over to the downloads page and download the RC-6 updater! The countdown to phpBB3 is getting nearer, can you feel the excitement?

UPDATE: Acyd Burn has announced that due to some problems with the RC-6 package, a new RC-7 package will be released later today. The teams will be providing auto-update packages for both RC-6 to RC-7 and RC-5 to RC-7. You probably should hold off until the new release this afternoon.
On phpBB Weekly #035, David will probably talk a bit about what happened to necessitate the RC-7 release.

If you are experiencing problems on your board with the RC-6/RC-7 update, read this article which details many problems with MODs and Styles due to the update.