Re: Forum Software - Mailing list pgsql-general

From Harry Jackson
Subject Re: Forum Software
Date
Msg-id 45b42ce40512300517n6cae4cefkc8ce56e7fff44afa@mail.gmail.com
Whole thread Raw
In response to Re: Forum Software  ("Raymond O'Donnell" <rod@iol.ie>)
List pgsql-general
On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
> On 30 Dec 2005 at 9:36, Harry Jackson wrote:
>
> > PHPBB. I don't want to use PHPBB due to its complete lack of anything
> > resembling security.
>
> Just curious - where do you get your info re PHPBB's "complete lack
> of anythng resembling security"? I've been considering using that
> software, and would like a balanced opinion of its godd & bad points.

I used it once (2004) because it supported Postgres. It got hacked in
under a month. I admit that this was a one off but having searched
around the Internet for various bulletin board software there seem to
be no end of problems with phpbb with regards security. I have even
come across articles claiming that the phpbb team try not to publish
all their exploits but rather blame PHIP [0] itself and they have a
tendency to ignore certain exploits in any releases that are not
current.

The whole thing does not inspire any confidence in me and having been
stung by the software once I think it would be foolhardy to give it
annother shot. Perhaps everything I am reading is true perhaps its all
just bad luck.

Just out of interest try searching google for

phpbb exploit

I get a "WERE SORRY" page from google which is an attempt by google to
prevent the proliferation of a particular worm, its bad when google
step in ;) If you get results the first time then try the search a few
times in succession.

If you are lucky enough to get some search results you will notice
that there are 821,000 pages in the search results. Compared to

exploit vBulletin 330,000
exploit yabb 26000
exploit bbboard exploit 631

I know its hardly scientific and that phpbb and vbulleting are a lot
more popular than the other two boards but I really cannot afford the
time or the money that getting cracked costs and try to avoid it at
all costs.

Friendly Advice:
If you do decided to run phpbb then make sure you chroot Apache
properly, which is something you should be doing anyway particularly
if you run any third part software. This will save you time and money
in the long run if someone gets in[1]. Its also easier to backup a
chrooted env so you can roll over [2] the cracked site after/if you
catch them in the act.


--
Harry
http://www.hjackson.org
http://www.uklug.co.uk

[0] If PHP is so problematic with regards security then this would
still cast some doubt as as to the teams ability since they have
chosen an implimentation langauage that is severely flawed.
[1] This is assuming its a typical remote command execution and not
some other nefarious hack involving your database which may be outside
the chroot or cross site scripting or .................. the list is
endless
[2] After fixing the hole.

pgsql-general by date:

Previous
From: "Raymond O'Donnell"
Date:
Subject: Re: Forum Software
Next
From: Martijn van Oosterhout
Date:
Subject: Re: a few questions