|
Securing a phpBB V2.0 forum |
|
|
|
Written by European network dynamics principal author
|
For an unknown reason, phpBB 2.0.2x versions have a little 'security hole'. Such a dysfunction cannot be considered as a real breach into security, but it may allow unregistered (i.e.: anonymous) users to view list of registered users, thus allowing spamming.
Therefore, we present here a simple method to strenghten a little your phpBB installation by disabling the consultation of registered users list if the visitor is unregistered himself.
A) For 'out of the box' phpBB 2.0.2x versions
1) open file {phpBB_ROOT}/memberlist.php
2) find the following code : init_userprefs($userdata);
3) just after this code add the following :
if ($userdata['user_id'] == ANONYMOUS)
{
redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));
}
4) open file {phpBB_ROOT}/groupcp.php
5) find the following code : init_userprefs($userdata);
6) just after this code add the following :
if ($userdata['user_id'] == ANONYMOUS)
{
redirect(append_sid("login.$phpEx?redirect=memberlist.$phpEx", true));
}
B) For phpBBBridge / embedded phpBB versions do exactly as above, but you will have to work on {phpBB_ROOT}/memberlist.php and {phpBB_ROOT}/inc_groupcp.php
In any case, you can add this modification to any of the main phpbb running files (viewonline.php, index.php and so on.)
|
