[clue-talk] warning regarding phpBB
Joe "Zonker" Brockmeier
xonker at gmail.com
Fri May 27 14:40:59 MDT 2005
On 5/27/05, Nate Duehr <nate at natetech.com> wrote:
> Angelo Bertolli wrote:
>
> > Yeah, I don't know which is worse: risk getting hacked, or having to
> > upgrade every freakin month. I figure this is why they've stopped
> > putting the version number on the front page.
>
> It seems that the phpBB folks simply can't write secure code. I
> wouldn't put a "production" phpBB site up on a dare -- after seeing
> their history of security problems.
While they've had a history of security holes, I'm not sure this is
entirely fair - the first one that really bit them (if I recall
correctly) was actually a vulnerability in PHP that was easily exposed
in phpBB - but it was necessary to patch phpBB and upgrade to php
4.3.10 as well to get around the problem.
Since that incident, I think that there's been a lot of attackers
scrutinizing phpBB because of the first successful attack.
> Fun software to play with - not so fun to have to keep safe. Seems to
> hold true to the old axiom that the more flexible and feature-ful the
> software is, the more security holes it probably has lurking in it.
Indeed... perhaps folks who want to run something like phpBB need to
help audit the code - remember, it doesn't help for it to be open
source if no one audits the code. I should think it'd be less
difficult to pitch in and assist in securing phpBB than to write a BB
package from scratch.
Best,
Zonker
--
Joe "Zonker" Brockmeier
xonker at gmail.com
"Well, I've wrestled with reality for 35 years, doctor, and I'm happy
to state I finally won out over it." ~ Elwood P. Dowd, "Harvey"
More information about the clue-talk
mailing list