Making phpBB a bit more secure

I actually like phpBB. Why? Because it is mature and usually working perfectly for setting up a nice (looking) forum in a really short time. phpBB has a lot of ‘security’ problems. Usually these problems are not really problems that are in the forum software itself, but through it’s massive use, the forum, if not propertly secured, is attacked by a lot of automated software on the internet.
When I set up a forum for the first time, I usually allow anonymous posting. This is one of those ‘security’ things; anonymous posting makes it very easy for a robot to run over the internet, and post crap like viagra and casino links.

To fix this, phpBB has an option to make only registered users post to a forum. This, however, is not working ok either, because the robots can register themselves and then post crap.

Luckily the system has a way to ‘secure’ the registration process by adding a captcha to the forum registration form. This is, however, in the case of phpBB, not safe.

So what can you do? Just change the captcha algorithm by your own! And when it is hacked, just replace it again! At least the automated bots on the internet don’t stand a chance this way.

So here is a little howto for phpBB 2.x.

Edit file includes/usercp_confirm.php ; go to the line before;

if (@extension_loaded(‘zlib’))

(line 67 in my version)

and put

exit;

there.

Before that, you will put your code.

Now download the following captcha code, for instance:

http://www.ejeliot.com/pages/2

and put it in your phpBB main directory.

You are almost done now.

Add the following above the ‘exit’ in includes/usercp_confirm.php;

require(‘php-captcha.inc.php’);
$aFonts = array(‘/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf’);
$oPhpCaptcha = new PhpCaptcha($aFonts, 202, 43);
$oPhpCaptcha->Create(”, $code);

Change this line;

$aFonts = array(‘/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf’);

to a font (or more; it is an array 😉 which actually exists on your system.

Now this isn’t working still, because

$oPhpCaptcha->Create(”, $code);

does not exist; you need to edit the php-captcha code. Open the file php-captcha.inc.php and find the function ‘GenerateCode’; change it as follows;

function GenerateCode($generate=0) {
// reset code
$this->sCode = ”;

if (!$generate) {
// leave original code here!
} else $this->sCode = $generate;

// save code in session variable
if ($this->bCaseInsensitive) {
$_SESSION[CAPTCHA_SESSION_ID] = strtoupper($this->sCode);
// etc; put original code here

Now find the first Create constructor (the second is of the sound captcha’s!) and find the line;

$this->GenerateCode();

change this to:

$this->GenerateCode($generate);

Now the code will be working fine.

If you need to debug, go to the registration page of your phpBB site;

/profile.php?mode=register&agreed=true

open the HTML source and search for an img src attribute which contains;

/profile.php?mode=confirm&id=

open that in the browser and you’ll see why something is not working.

Comments are closed.