Thread: Forum Software

Forum Software

From
Harry Jackson
Date:
What would people recommendation be for Bulleting Board software. I am
after something that uses PostgreSQL and has similar features of
PHPBB. I don't want to use PHPBB due to its complete lack of anything
resembling security.

--
Harry
http://www.hjackson.org
http://www.uklug.co.uk

Re: Forum Software

From
"Raymond O'Donnell"
Date:
On 30 Dec 2005 at 9:36, Harry Jackson wrote:

> PHPBB. I don't want to use PHPBB due to its complete lack of anything
> resembling security.

Just curious - where do you get your info re PHPBB's "complete lack
of anythng resembling security"? I've been considering using that
software, and would like a balanced opinion of its godd & bad points.

--Ray O'Donnell

-------------------------------------------------------------
Raymond O'Donnell     http://www.galwaycathedral.org/recitals
rod@iol.ie                          Galway Cathedral Recitals
-------------------------------------------------------------


Re: Forum Software

From
"Raymond O'Donnell"
Date:
On 30 Dec 2005 at 12:15, Raymond O'Donnell wrote:

> its godd & bad points.

Whoops!......you know what I meant....


-------------------------------------------------------------
Raymond O'Donnell     http://www.galwaycathedral.org/recitals
rod@iol.ie                          Galway Cathedral Recitals
-------------------------------------------------------------


Re: Forum Software

From
Harry Jackson
Date:
On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
> On 30 Dec 2005 at 9:36, Harry Jackson wrote:
>
> > PHPBB. I don't want to use PHPBB due to its complete lack of anything
> > resembling security.
>
> Just curious - where do you get your info re PHPBB's "complete lack
> of anythng resembling security"? I've been considering using that
> software, and would like a balanced opinion of its godd & bad points.

I used it once (2004) because it supported Postgres. It got hacked in
under a month. I admit that this was a one off but having searched
around the Internet for various bulletin board software there seem to
be no end of problems with phpbb with regards security. I have even
come across articles claiming that the phpbb team try not to publish
all their exploits but rather blame PHIP [0] itself and they have a
tendency to ignore certain exploits in any releases that are not
current.

The whole thing does not inspire any confidence in me and having been
stung by the software once I think it would be foolhardy to give it
annother shot. Perhaps everything I am reading is true perhaps its all
just bad luck.

Just out of interest try searching google for

phpbb exploit

I get a "WERE SORRY" page from google which is an attempt by google to
prevent the proliferation of a particular worm, its bad when google
step in ;) If you get results the first time then try the search a few
times in succession.

If you are lucky enough to get some search results you will notice
that there are 821,000 pages in the search results. Compared to

exploit vBulletin 330,000
exploit yabb 26000
exploit bbboard exploit 631

I know its hardly scientific and that phpbb and vbulleting are a lot
more popular than the other two boards but I really cannot afford the
time or the money that getting cracked costs and try to avoid it at
all costs.

Friendly Advice:
If you do decided to run phpbb then make sure you chroot Apache
properly, which is something you should be doing anyway particularly
if you run any third part software. This will save you time and money
in the long run if someone gets in[1]. Its also easier to backup a
chrooted env so you can roll over [2] the cracked site after/if you
catch them in the act.


--
Harry
http://www.hjackson.org
http://www.uklug.co.uk

[0] If PHP is so problematic with regards security then this would
still cast some doubt as as to the teams ability since they have
chosen an implimentation langauage that is severely flawed.
[1] This is assuming its a typical remote command execution and not
some other nefarious hack involving your database which may be outside
the chroot or cross site scripting or .................. the list is
endless
[2] After fixing the hole.

Re: Forum Software

From
John DeSoi
Date:
On Dec 30, 2005, at 4:36 AM, Harry Jackson wrote:

> What would people recommendation be for Bulleting Board software. I am
> after something that uses PostgreSQL and has similar features of
> PHPBB. I don't want to use PHPBB due to its complete lack of anything
> resembling security.

I'm not familiar enough with PHBB to assess how it compares, but
Drupal has a forum module and it works with PostgreSQL.



John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL


Re: Forum Software

From
Tony Caduto
Date:
  >> What would people recommendation be for Bulleting Board software. I am
>> after something that uses PostgreSQL and has similar features of
>> PHPBB. I don't want to use PHPBB due to its complete lack of anything
>> resembling security.
>
>
> I'm not familiar enough with PHBB to assess how it compares, but  Drupal
> has a forum module and it works with PostgreSQL.

PHPBB is not that bad, and they release security fixes etc in a fairly
timely manner, and it has
full support for Postgresql.

I run mine from behind a firewall and have never had problems with
security.  Your milage may vary on how you set it up.


--
Tony Caduto
AM Software Design
Home of PG Lightning Admin for Postgresql
http://www.amsoftwaredesign.com

Re: Forum Software

From
"Scott Marlowe"
Date:

On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:

QUOTE:
I used it once (2004) because it supported Postgres. It got hacked in
under a month. I admit that this was a one off but having searched
around the Internet for various bulletin board software there seem to
be no end of problems with phpbb with regards security. I have even
come across articles claiming that the phpbb team try not to publish
all their exploits but rather blame PHIP [0] itself and they have a
tendency to ignore certain exploits in any releases that are not
current.
UNQUOTE:

That's hardly fair.  PostgreSQL also ignores security issues on older versions.  If you're running 8.0.0 and a security fix came out in 8.0.1, it's your fault, not the PGDG folks.

Also, as a big proponent of PHP, I have to admit that it's quite easy to write insecure software with it.  I've had nothing but good luck with PHPBB.  My main complaint is that no one in the PHPBB community seems to have ever heard of diff and patch, so all the hacks for it need to be applied by hand, one line at a time.

Re: Forum Software

From
Robert Treat
Date:
On Friday 30 December 2005 13:03, Scott Marlowe wrote:
> On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
>
> QUOTE:
> and they have a
> tendency to ignore certain exploits in any releases that are not
> current.
> UNQUOTE:
>
> That's hardly fair.  PostgreSQL also ignores security issues on older
> versions.  If you're running 8.0.0 and a security fix came out in 8.0.1,
> it's your fault, not the PGDG folks.
>

I think he is saying that if an exploit is found in pg 8.1.x, there policy is
to never backpatch to 8.0.x. If so that's a fair criticism (to the extent
that upgrades are cumbersome with their software)

Just to be clear, I am not validating his statement, just wondering if you
misinterpreted it. I've certainly heard more bad than good about phpbb, but
I've no first hand experience and it could be a wonderful product. (From this
thread it just sounds like they need a little more structure in the project)

--
Robert Treat
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL

Re: Forum Software

From
Harry Jackson
Date:
On 12/30/05, Scott Marlowe <smarlowe@g2switchworks.com> wrote:
>
>
> On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
>
>  QUOTE:
>  I used it once (2004) because it supported Postgres. It got hacked in
>  under a month. I admit that this was a one off but having searched
>  around the Internet for various bulletin board software there seem to
>  be no end of problems with phpbb with regards security. I have even
>  come across articles claiming that the phpbb team try not to publish
>  all their exploits but rather blame PHIP [0] itself and they have a
>  tendency to ignore certain exploits in any releases that are not
>  current.
>  UNQUOTE:
>
>  That's hardly fair.  PostgreSQL also ignores security issues on older
> versions.  If you're running 8.0.0 and a security fix came out in 8.0.1,
> it's your fault, not the PGDG folks.

Actually a security hole being found is not really anyones fault [0]
it just happens and then something has to be done by the user who has
the software on his system.
Would the people on here ignore requests for help regardless of
version. I am sure if the case was stong enough someone would give you
a hand, perhaps they wouldn't but I am not reading on blogs how the
PostgreSQL community ignores security issues or that PostgreSQL has a
particular problem with security. In fact searching for Postgres
exploit returnred 206000 results on google which considering
PostgreSQL is a great deal older than phpbb is not bad now is it.

> Also, as a big proponent of PHP, I have to admit that it's quite easy to
> write insecure software with it.

Its quite easy to write insecure software period. Choice of language
with regards security is an almost pointless discussion. See point
[0]. Its the ability of the surgeon in the majority of cases that
makes for a successful operation not his choice of scalpel [1].

> I've had nothing but good luck with PHPBB.

And I am truly happy for you. I would have loved phpBB to have been my
silver bullet. I may yet need to use it again because I can find
nothing else that will do the job. For all its faults its most
certainly filling a gap in the market.

I don't want to use phpBB and I will need to be dragged kicking and
screaming to drink from that well again but were needs must, better
the devil you know.

--
Harry
http://www.hjackson.org
http://www.uklug.co.uk


[0] Actually we could blame the software developers for the bugs but
that would be like blaming a surgeon for stitches. However, this does
not give the surgeon immunnity if he performs the operation with as
little apptitude as a drunk.

[1] Although choosing a chain saw for open heart surgery may put him
in the "limited ability" category.

Re: Forum Software

From
"Reko Turja"
Date:
----- Original Message -----
From: "Harry Jackson" <harryjackson@gmail.com>
To: <pgsql-general@postgresql.org>
Sent: Saturday, December 31, 2005 12:39 AM
Subject: Re: [GENERAL] Forum Software


> On 12/30/05, Scott Marlowe <smarlowe@g2switchworks.com> wrote:

>> Also, as a big proponent of PHP, I have to admit that it's quite easy
>> to
>> write insecure software with it.
>
> Its quite easy to write insecure software period. Choice of language
> with regards security is an almost pointless discussion. See point
> [0]. Its the ability of the surgeon in the majority of cases that
> makes for a successful operation not his choice of scalpel [1].
>
>> I've had nothing but good luck with PHPBB.
>
> And I am truly happy for you. I would have loved phpBB to have been my
> silver bullet. I may yet need to use it again because I can find
> nothing else that will do the job. For all its faults its most
> certainly filling a gap in the market.

So far I've been quite happy with phpbb as well. There are some PHP
security issues that of course every PHP-using administrator can modify
if they choose so, like register_globals etc. Then of course the phpbb
installation instructions claiming you have to chmod 777 whole phpbb
directory tree aren't true and actually judicious use of other access
permissions is even more recommended - I use 770 as my base permissions
and then tighten the permissions for certain files and directories
further.

The security patches seem to come in fairly good intervals, and are
pretty easy to apply, unless you're running a heavily customized board.
Of course keeping the whole site secure means following the Apache, PHP,
Postgres and OS updates which can be painless or painful depending on OS
of your choice. Phpbb as such can't be held responsible IMO in cases
where cracker uses a security hole located in any underlying component.

Just out of curiosity, was only the bulletin board cracked or was your
whole system compromised?

-Reko


Re: Forum Software

From
Scott Marlowe
Date:
On Fri, 2005-12-30 at 16:39, Harry Jackson wrote:
> On 12/30/05, Scott Marlowe <smarlowe@g2switchworks.com> wrote:
> >
> >
> > On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
> >
> >  QUOTE:
> >  I used it once (2004) because it supported Postgres. It got hacked in
> >  under a month. I admit that this was a one off but having searched
> >  around the Internet for various bulletin board software there seem to
> >  be no end of problems with phpbb with regards security. I have even
> >  come across articles claiming that the phpbb team try not to publish
> >  all their exploits but rather blame PHIP [0] itself and they have a
> >  tendency to ignore certain exploits in any releases that are not
> >  current.
> >  UNQUOTE:
> >
> >  That's hardly fair.  PostgreSQL also ignores security issues on older
> > versions.  If you're running 8.0.0 and a security fix came out in 8.0.1,
> > it's your fault, not the PGDG folks.
>
> Actually a security hole being found is not really anyones fault [0]
> it just happens and then something has to be done by the user who has
> the software on his system.

Let me clarify.  If you're running 8.0.0 and there's a security fix out
for 8.0.1 and you get bitten by said security bug, it IS YOUR fault,
because you didn't upgrade.

> Would the people on here ignore requests for help regardless of
> version. I am sure if the case was stong enough someone would give you
> a hand, perhaps they wouldn't but I am not reading on blogs how the

Actually, if you're running an old enough version, that's exactly what
will happen.  We have a fairly large and capable community, but no one's
gonna put a lot of effort into fixing / working around a security bug
from V 6.5.3 or 7.1 or something like that.

PHPBB chooses to maintain, security-wise, the latest main branch, which
is quite common for smaller, fast moving projects, and completely
understandable.  Rather one well maintained, quickly fixed branch than
any number that aren't.  Of course, we'd all like to see all old
versions supported / maintained.  And a pony too.  But ya get what ya
get.  And as far as updates to phpbb go, they're pretty timely, if only
on the latest main branch.


> > I've had nothing but good luck with PHPBB.
>
> And I am truly happy for you. I would have loved phpBB to have been my
> silver bullet. I may yet need to use it again because I can find
> nothing else that will do the job. For all its faults its most
> certainly filling a gap in the market.
>
> I don't want to use phpBB and I will need to be dragged kicking and
> screaming to drink from that well again but were needs must, better
> the devil you know.

Have you looked at agora?  Not as many fancy features, but it is a
nicely threaded message system.  For many people the extra features,
like attachments and such, that phpBB have make it a must have, but I
found agora to be a much nicer bulletin board, in terms of how it
displays threads and all.