Software Security/Group 9/PhpBB
Directory Structure
[phpBB2]
- —ι common.php
- —ι config.php
- —ι extension.inc
- —› faq.php
- —› groupcp.php
- —› index.php
- —›
install.php— installation page, out of our concern - —› login.php
- —› memberlist.php
- —› modcp.php
- —› posting.php
- —› privmsg.php
- —› profile.php
- —› search.php
- —›
update_to_FINAL.php— installation page, out of our concern - —›
upgrade.php— installation page, out of our concern - —› viewforum.php
- —› viewonline.php
- —› viewtopic.php
- [admin]
- —› admin_board.php
- —› admin_db_utilities.php
- —› admin_disallow.php
- —› admin_forumauth.php
- —› admin_forums.php
- —› admin_forum_prune.php
- —› admin_groups.php
- —› admin_mass_email.php
- —› admin_ranks.php
- —› admin_smilies.php
- —› admin_styles.php
- —› admin_ug_auth.php
- —› admin_users.php
- —› admin_user_ban.php
- —› admin_words.php
- —› index.php
- —ι pagestart.php
- —ι page_footer_admin.php
- —ι page_header_admin.php
- [
contrib] — several contributed modules; not installed by default and not in our scope - [
db] — sql layers providing abstractions to support different database backends, not of our particular interest- [
schemas] — contains the phpBB's db schema, which we would not need to review
- [
- [
docs] — several somewhat outdated documentations, not very useful - [
images] — just a bunch of images - [includes]
- —ι auth.php
- —ι bbcode.php
- —ι constants.php
- —ι db.php
- —ι emailer.php
- —ι functions.php
- —ι functions_admin.php
- —ι functions_post.php
- —ι functions_search.php
- —ι functions_selects.php
- —ι functions_validate.php
- —›
index.htm— just a blank page to prevent directory listing - —ι page_header.php
- —ι page_tail.php
- —ι prune.php
- —ι sessions.php
- —ι smtp.php
- —ι sql_parse.php
- —ι template.php
- —ι topic_review.php
- —ι usercp_activate.php
- —ι usercp_avatar.php
- —ι usercp_email.php
- —ι usercp_register.php
- —ι usercp_sendpasswd.php
- —ι usercp_viewprofile.php
- [
language] — various internationalization resources, obviously has nothing to do with authentication - [
templates] — templates for output, we shouldn't be interested in this
Notes
- [xxx] means xxx is a directory
- —› indicates entry points
- —ι indicates pages that should not normally be directly accessed by the users
Page Links
Basically, there are two big group of pages in phpBB2: the (normal) forum pages and the administrative pages.
The ordinary forum pages are simply all the pages that are in the phpBB top directory. They are, on most cases, linked to each other (usually via navigation menu), save for a few such as posting.php and modcp.php that can only be accessed from several pages or when some conditions are met. There are also several minor inconsistencies in how the linking is done. (For instance, the link to viewforum.php is missing from groupcp.php when no group is defined, while this should logically have nothing to do with the availability of viewforum.php)
The situation is similar for the administrative pages. However, in this case, all administrative pages are linked to each other with no exception due to a static navigation menu which provides links to all the administrative pages. There are also link to the forum index in the menu, so the forum index is also accessible directly via link from any administrative page. In some pages, there are also links to several pages of the non-administrative section of phpBB. For example, the Forum Admin management page contains link to viewforum.php
Includes
Virtually every php pages in phpBB includes these following files:
- extension.inc — define the extension of php files
- common.php — the "library" of common functions, includes other php files in "include" directory
- page_header.php and php_tail.php — page template