Month: March 2022

If you upgraded to phpBB 3.3.6 before upgrading to phpBB 3.3.7, read this

On: By: Mark

The phpBB Group made a major error in its 3.3.6 release. The error is understandable, but still surprising as this is the first release I am aware of which if you are affected by the bug cannot be fixed except by recovering two tables you are supposed to back up before upgrading to phpBB 3.3.6.

How can I tell if my board is affected?

One way is to access your board as a guest. If it says your board has no forums, but previously a guest would see your forums, you are affected.

If you can still see forums as a guest, that doesn’t mean you aren’t affected, only that if you can’t, it definitely indicates that you are affected by the bug.

The only way to know for sure would be to compare the phpbb_acl_groups and phpbb_acl_users tables from before upgrading to phpBB 3.3.6 with your current tables and if any rows are missing put them back in these tables. This is not easy. You might want to seek professional help to fix these issues.

If my board is affected, how do I fix this?

Recover your database to before your upgraded to phpBB 3.3.6, then upgrade phpBB

If you are comfortable with losing any content since you upgraded, you fully backed up your database before the upgrade, and it’s stored in your board’s /store folder you could:

  1. Use phpBB’s restore function: ACP > Maintenance > Database > Restore. Make sure you pick the right archive to recover.
  2. Afterward, you may have orphaned attachments. You can get rid of these: ACP > Posting > Attachments > Orphaned attachments
  3. Next, upgrade to the latest version of phpBB using the normal process

Warning: on some servers you may experience timeouts and other issues using the process. The likelihood of this happening increases on shared hosting and if you have lots of posts and users. If you are familiar with using SQL from the command line, it is better to restore your database this way. You may need to explicitly drop all the tables in your database first.

Recover the two affected tables, then upgrade phpBB

If the other options aren’t viable, you have to fix the database directly. And it can be kind of confusing if you are not familiar with SQL or don’t know how to use programs like phpMyAdmin. But you must have a backup of your database before you upgraded or updated to phpBB 3.3.6 and the backup must contain the two tables affected.

Two tables must be emptied using a tool like phpMyAdmin
  • Your database backup is either in an archive or a long file with a .sql suffix. If it’s in an archive, extract it.
  • You will need to open the archive in a text editor. If the file is big, it may crash some text editors. BBEdit is an example of a text editor that should be able to handle large .sql files.
  • Search for your phpbb_acl_groups table. If your table prefix is not phpbb_, search for the correct name, like phpbb3_acl_groups. Find the INSERT INTO statement for the table. Here’s an example:

INSERT INTO phpbb_acl_groups (group_id, forum_id, auth_option_id, auth_role_id, auth_setting) VALUES (88, 5, 0, 14, 0),(84, 5, 15, 0, 1),(84, 5, 1, 0, 1),(85, 5, 15, 0, 1),(85, 5, 1, 0, 1),(3, 5, 1, 0, 1),(3, 5, 14, 0, 1),(83, 5, 1, 0, 1),(83, 5, 14, 0, 1),(3, 5, 20, 0, 1),(3, 5, 23, 0, 1),(83, 5, 20, 0, 1),(83, 5, 23, 0, 1),(3, 5, 17, 0, 1),(3, 5, 4, 0, 1),(3, 5, 25, 0, 1),(3, 5, 13, 0, 1),(3, 5, 24, 0, 1),(3, 5, 18, 0, 1),(3, 5, 22, 0, 1),(3, 5, 27, 0, 1),(3, 5, 19, 0, 1),(3, 5, 9, 0, 1),(83, 5, 17, 0, 1),(83, 5, 4, 0, 1),(83, 5, 25, 0, 1),(83, 5, 13, 0, 1),(83, 5, 24, 0, 1),(83, 5, 18, 0, 1),(83, 5, 22, 0, 1),(83, 5, 27, 0, 1),(83, 5, 19, 0, 1),(83, 5, 9, 0, 1),(3, 5, 21, 0, 1),(83, 5, 21, 0, 1),(3, 5, 8, 0, 1),(83, 5, 8, 0, 1),(3, 5, 6, 0, 1),(83, 5, 6, 0, 1),(3, 5, 16, 0, 1),(83, 5, 16, 0, 1),(3, 5, 29, 0, 1),(83, 5, 29, 0, 1),(3, 5, 26, 0, 1),(83, 5, 26, 0, 1),(84, 5, 3, 0, 1),(84, 5, 7, 0, 1),(89, 5, 3, 0, 1),(89, 5, 7, 0, 1),(89, 5, 1, 0, 1),(85, 5, 3, 0, 1),(85, 5, 7, 0, 1),(88, 6, 0, 14, 0),(84, 6, 15, 0, 1),(84, 6, 1, 0, 1),(85, 6, 15, 0, 1),(85, 6, 1, 0, 1),(3, 6, 1, 0, 1),(3, 6, 14, 0, 1),(83, 6, 1, 0, 1),(83, 6, 14, 0, 1),(3, 6, 20, 0, 1),(3, 6, 23, 0, 1),(83, 6, 20, 0, 1),(83, 6, 23, 0, 1),(3, 6, 17, 0, 1),(3, 6, 4, 0, 1),(3, 6, 25, 0, 1),(3, 6, 13, 0, 1),(3, 6, 24, 0, 1),(3, 6, 18, 0, 1),(3, 6, 22, 0, 1),(3, 6, 27, 0, 1),(3, 6, 19, 0, 1),(3, 6, 9, 0, 1),(83, 6, 17, 0, 1),(83, 6, 4, 0, 1),(83, 6, 25, 0, 1),(83, 6, 13, 0, 1),(83, 6, 24, 0, 1),(83, 6, 18, 0, 1),(83, 6, 22, 0, 1),(83, 6, 27, 0, 1),(83, 6, 19, 0, 1),(83, 6, 9, 0, 1),(3, 6, 21, 0, 1),(83, 6, 21, 0, 1),(3, 6, 8, 0, 1),(83, 6, 8, 0, 1),(3, 6, 6, 0, 1),(83, 6, 6, 0, 1),(3, 6, 16, 0, 1),(83, 6, 16, 0, 1),(3, 6, 29, 0, 1),(83, 6, 29, 0, 1),(3, 6, 26, 0, 1),(83, 6, 26, 0, 1),(84, 6, 3, 0, 1),(84, 6, 7, 0, 1),(89, 6, 3, 0, 1),(89, 6, 7, 0, 1),(89, 6, 1, 0, 1),(85, 6, 3, 0, 1),(85, 6, 7, 0, 1),(88, 0, 0, 5, 0),(87, 0, 0, 5, 0),(88, 0, 0, 4, 0),(85, 0, 0, 6, 0),(86, 0, 0, 6, 0),(88, 7, 0, 14, 0),(87, 7, 0, 14, 0),(3, 7, 14, 0, 1),(3, 7, 1, 0, 1),(83, 7, 14, 0, 1),(83, 7, 1, 0, 1),(88, 7, 14, 0, 1),(88, 7, 1, 0, 1),(87, 0, 0, 4, 0),(87, 6, 0, 14, 0),(87, 5, 0, 14, 0),(87, 5, 0, 10, 0),(87, 6, 0, 10, 0),(87, 0, 32, 0, 1),(87, 0, 33, 0, 1),(87, 0, 34, 0, 1),(87, 0, 35, 0, 1),(87, 0, 36, 0, 1),(87, 0, 40, 0, 1),(87, 0, 127, 0, 1),(87, 0, 42, 0, 1),(87, 0, 128, 0, 1),(87, 0, 43, 0, 1),(87, 0, 37, 0, 1),(87, 0, 38, 0, 1),(87, 0, 39, 0, 1),(87, 0, 41, 0, 1),(87, 0, 31, 0, 1),(3, 5, 130, 0, 1),(83, 5, 130, 0, 1),(3, 6, 130, 0, 1),(83, 6, 130, 0, 1),(88, 8, 0, 14, 0),(87, 8, 0, 14, 0),(88, 8, 14, 0, 1),(88, 8, 1, 0, 1),(3, 8, 0, 21, 0),(83, 8, 0, 21, 0),(88, 9, 0, 14, 0),(84, 9, 15, 0, 1),(84, 9, 1, 0, 1),(85, 9, 15, 0, 1),(85, 9, 1, 0, 1),(3, 9, 1, 0, 1),(3, 9, 14, 0, 1),(83, 9, 1, 0, 1),(83, 9, 14, 0, 1),(3, 9, 20, 0, 1),(3, 9, 23, 0, 1),(83, 9, 20, 0, 1),(83, 9, 23, 0, 1),(3, 9, 17, 0, 1),(3, 9, 4, 0, 1),(3, 9, 25, 0, 1),(3, 9, 13, 0, 1),(3, 9, 24, 0, 1),(3, 9, 18, 0, 1),(3, 9, 22, 0, 1),(3, 9, 27, 0, 1),(3, 9, 19, 0, 1),(3, 9, 9, 0, 1),(83, 9, 17, 0, 1),(83, 9, 4, 0, 1),(83, 9, 25, 0, 1),(83, 9, 13, 0, 1),(83, 9, 24, 0, 1),(83, 9, 18, 0, 1),(83, 9, 22, 0, 1),(83, 9, 27, 0, 1),(83, 9, 19, 0, 1),(83, 9, 9, 0, 1),(3, 9, 21, 0, 1),(83, 9, 21, 0, 1),(3, 9, 8, 0, 1),(83, 9, 8, 0, 1),(3, 9, 6, 0, 1),(83, 9, 6, 0, 1),(3, 9, 16, 0, 1),(83, 9, 16, 0, 1),(3, 9, 29, 0, 1),(83, 9, 29, 0, 1),(3, 9, 26, 0, 1),(83, 9, 26, 0, 1),(84, 9, 3, 0, 1),(84, 9, 7, 0, 1),(89, 9, 3, 0, 1),(89, 9, 7, 0, 1),(89, 9, 1, 0, 1),(85, 9, 3, 0, 1),(85, 9, 7, 0, 1),(87, 9, 0, 14, 0),(87, 9, 0, 10, 0),(3, 9, 130, 0, 1),(83, 9, 130, 0, 1),(88, 10, 0, 14, 0),(84, 10, 15, 0, 1),(84, 10, 1, 0, 1),(85, 10, 15, 0, 1),(85, 10, 1, 0, 1),(3, 10, 1, 0, 1),(3, 10, 14, 0, 1),(83, 10, 1, 0, 1),(83, 10, 14, 0, 1),(3, 10, 20, 0, 1),(3, 10, 23, 0, 1),(83, 10, 20, 0, 1),(83, 10, 23, 0, 1),(3, 10, 17, 0, 1),(3, 10, 4, 0, 1),(3, 10, 25, 0, 1),(3, 10, 13, 0, 1),(3, 10, 24, 0, 1),(3, 10, 18, 0, 1),(3, 10, 22, 0, 1),(3, 10, 27, 0, 1),(3, 10, 19, 0, 1),(3, 10, 9, 0, 1),(83, 10, 17, 0, 1),(83, 10, 4, 0, 1),(83, 10, 25, 0, 1),(83, 10, 13, 0, 1),(83, 10, 24, 0, 1),(83, 10, 18, 0, 1),(83, 10, 22, 0, 1),(83, 10, 27, 0, 1),(83, 10, 19, 0, 1),(83, 10, 9, 0, 1),(3, 10, 21, 0, 1),(83, 10, 21, 0, 1),(3, 10, 8, 0, 1),(83, 10, 8, 0, 1),(3, 10, 6, 0, 1),(83, 10, 6, 0, 1),(3, 10, 16, 0, 1),(83, 10, 16, 0, 1),(3, 10, 29, 0, 1),(83, 10, 29, 0, 1),(3, 10, 26, 0, 1),(83, 10, 26, 0, 1),(84, 10, 3, 0, 1),(84, 10, 7, 0, 1),(89, 10, 3, 0, 1),(89, 10, 7, 0, 1),(89, 10, 1, 0, 1),(85, 10, 3, 0, 1),(85, 10, 7, 0, 1),(87, 10, 0, 14, 0),(87, 10, 0, 10, 0),(3, 10, 130, 0, 1),(83, 10, 130, 0, 1);

  • Empty this table first using a tool like phpMyAdmin (see above). This removes all rows in the table.
  • Afterward, using a tool like phpMyAdmin, copy and paste the INSERT INTO statement(s) from your editor. Using phpMyAdmin, you could click on the SQL tab and insert them there, and press GO at the bottom of the page to execute the statement(s). This should replace the table’s content to the way it was before you upgraded to phpBB 3.3.6.
  • Use the same approach for your version of the phpbb_acl_users table. Empty the table and execute the SQL in your editor to recover this table.
  • Now do a normal upgrade to the latest version of phpBB.
  • If after the upgrade to 3.3.6 you made any permission changes to users or groups, these would need to be reapplied.

Protecting your board from Denial of Service (DoS) attacks

On: By: Mark

There have been many prominent articles about web sites being taken down by Denial of Service (DoS) attacks. A Denial of Service attack is when a machine on the internet sends so many requests to your web server in a short period of time that the web server can’t keep up with the demand. This makes it unavailable to legitimate users and often returns cryptic error messages to users. It’s like your web server blows a fuse. Even after the attack abates, your server may not be able to recover without a reboot or some internal repairs.

In a Distributed Denial of Service (DDoS) attack, a number of machines across the Internet attack your web server at the same time. DDoS attacks tend to be more severe because more requests can be sent at the same time. These attacks become harder to block too, because the Internet Protocol (IP) addresses of attacking machines change.

In this post I’ll look at how to protect your board from both DoS and DDoS attacks using Cloudflare.

What is Cloudflare?

Cloudflare is a prominent company that specializes in implementing content delivery networks (CDNs). CDNs place copies of files on your web sites geographically close to your users, speeding up the rendering of your web pages.

Cloudflare can also protect web sites so that if a DoS or a DDoS attack occurs, the offending machines can quickly be blocked, minimally impacting your site’s availability to legitimate users.

A phpBB board is often part of a web site. Generally, Cloudflare protects domains. I’ll describe how it protects domains. If you want to use Cloudflare to protect a subdomain but not the domain itself, this is a more complex process described here.

Using Cloudflare is not necessarily free, but it often is. You can start with a free plan. If your domain is not used for commercial purposes, you can use Cloudflare for free. If your site is for professional use, the cost is $20/month. Cloudflare can be very pricey for businesses and enterprises: $200/month or more. But if you have this kind of website, you are probably using Cloudflare or a similar service already.

Cloudflare has competitors, so you can shop around if you need to pay for DoS or DDoS protection. Arguably though Cloudflare was the first to master this market and is its industry leader.

Protecting your domain with Cloudflare is generally pretty easy. Let’s look at the steps.

Step 1. Get a Cloudflare account

If you don’t already have a Cloudflare account, you can create one. It’s a simple process that should not take more than a few minutes.

Step 2. Add your domain to your Cloudflare account

Look for the Websites link on the left sidebar. After clicking on it, click on the Add a Site button and add the domain containing your phpBB board. Cloudflare will find your public domain records and show them to you.

Step 3. Change the nameservers for your domain to use Cloudflare’s nameservers

Next, login to your domain registrar and find your records for your domain. Verify your domain records match those that Cloudflare found. Then change your domain’s nameservers to the nameservers Cloudflare provided. Nameservers tell computers the Internet Protocol (IP) address where your site’s content resides. Cloudflare should provide you with two nameservers.

To make things easier, you may want to access your registrar in a separate browser tab so you can more easily copy and paste Cloudflare’s nameservers into the form provided by your registrar.

Step 4. Wait for the DNS to change

It can take up to 48 hours for your DNS changes to propagate across the Internet, but is generally quick with most ISPs getting updates in one to 2 hours. While it happens, your domain should still be accessible, but may be briefly inaccessible.

Your domain may still be affected if a DoS or DDoS attack during the nameserver propagation process. You can get a sense of whether the DNS changes are complete by using a tool like Who.Is to check your domain and the nameservers it finds for your domain. When complete, the nameservers should match those provided to you by Cloudflare.

How it works

Most attacks attack a domain. DNS resolution is the process of translating a domain name (myspecialboard.com) to an IP address, ex: 123.45.67.89. Attackers will query Cloudflare’s nameservers to get your IP address. Because Cloudflare constantly monitors the web, it generally knows the IP addresses of attacking machines. It won’t provide your server’s correct IP address to these machines, insulating your web server from most of these attacks.

Attacks may still occur, but are unlikely

Targeted DoS and DDoS attacks can still succeed if the attacker knows or randomly picks the Internet Protocol (IP) address of your web server and attacks it, rather than your domain. As your web server’s IP address won’t be generally known, these incidents should be few and far between. If they occur, it is likely due to an attack on a random IP address.

If you detect a DoS or DDoS attack after being protected by Cloudflare, Cloudflare can still help. Click on your website on the Cloudflare web page and set the Under Attack Mode slider control to On. More details are here. Cloudflare will examine the machines hitting your domain and do its best to block them.

If you use shared hosting, you may still be subject to DoS or DDoS attacks you can’t control. This is because the attack may not be happening to your domain directly, but to another domain on the same server using the same IP address as your web server. Such a scenario though is pretty unlikely.

February 2022 work summary

On: By: Mark

February was a bit like January: plenty to do at the start and end of the month with not so much in the middle of the month. So during the middle of the month I released new versions of three of my extensions: Digests, Spam Remover and SCSS compiler.

I thought my development work for a major commercial client was done but a few new minor tasks were discovered. These tasks included:

  • Replicating a kill user feature that was overlooked. It gives an admin a one button press to remove a spam user and all their posts.
  • Changed an extension I wrote that emails to a mailing list all admin log entries to also send the list critical error log entries.

Other work for clients in February included:

  • WordPress work. Updated an old WordPress instance from WordPress5.3 to 5.9. I got errors after logging in and solved them by going into the database and changing the row in the wp_options table that enabled all the plugins. Installed a default theme. Moved a number of posts and pages into the trash. Rearranged the menu and added some pages. Then demonstrated how to add PDFs to the Media Library and how to use the Gallery extension, which I had to reinstall, but a gallery of smilie fingerprints was already set up. I just had to add the correct shortcode to the page so it would render. Set up another gallery for a set of other kinds of images and demonstrated uploading some of these. The client may be able to take it from here.
  • Installed the Topic Tags extension using a 3.3 version I found on a client’s test website. Client tried it out and had me install it in production.
  • Upgraded a board from phpBB 3.0.14 to 3.3.5. Tried to use Support Toolkit but had errors manifested by syntax errors in language pack files but eventually decided to give up on it. Set everyone to use the British English language pack. There were dozens of language packs installed. Three database errors had to be fixed to complete the upgrade. I stayed with default prosilver style. I disabled the contact page and set up reCaptcha V3 spambot countermeasure. I set up a home page link and installed the Advertisement management extension and placed sample ad.
  • Rehosting and conversion. This was a conversion from phpBB 2.0.16. I moved the files and database to temporary hosting for a subdomain. The board had 354,000 posts. I had to split extract of phpbb_post_text table into two extracts to get under the 50mb upload limit, as well as not carry over the search tables. Converted using phpBB 3.3.4 to avoid conversion bug, then updated to 3.3.5. I tried to install SiteSplat style but didn’t show an ad, so used ProLight style, then created a custom style based on it. The style needed to incorporate the site’s WordPress headers and footers, which took two hours of time. Installed the Advertisement Management, Site Map and Google Analytics extensions. I placed sample ad. User tested it then let me move it into place, which was a folder inside their new WordPress site done by someone else.
  • I was asked to check emailing from the board. No problems were found, but I couldn’t get to work with SMTP. I created an admin email address for domain and changed email address default for board to that. Provided guidance on subscribing to forums and topics. Later, attempted to integrate simpler WordPress theme HTML provided by their contractor but couldn’t get it to work. I moved over both the the files and database. The board came up without an issue after changes to config.php.
  • Upgraded a board from phpBB 3.2.9 to 3.3.5. I deactivated and removed a number of styles and made prosilver the default style for everyone. Upgraded the Pages extension from version 2.0.4 to 2.0.5. Originally I figured out that the reason the board did not come up was because BlueHost changed PHP to 8.0. Temporarily reverted the domain to PHP 7.3, then later after upgraded the board I enabled PHP 8.0 again.
  • Updated board from phpBB 3.3.4 to 3.3.5. Create a custom style inheriting from prosilver to simply updates next time. Since the Board3 Portal extension was installed, I changed the .htaccess file to load the portal page by default.