Thread: Forum Software
What would people recommendation be for Bulleting Board software. I am after something that uses PostgreSQL and has similar features of PHPBB. I don't want to use PHPBB due to its complete lack of anything resembling security. -- Harry http://www.hjackson.org http://www.uklug.co.uk
On 30 Dec 2005 at 9:36, Harry Jackson wrote: > PHPBB. I don't want to use PHPBB due to its complete lack of anything > resembling security. Just curious - where do you get your info re PHPBB's "complete lack of anythng resembling security"? I've been considering using that software, and would like a balanced opinion of its godd & bad points. --Ray O'Donnell ------------------------------------------------------------- Raymond O'Donnell http://www.galwaycathedral.org/recitals rod@iol.ie Galway Cathedral Recitals -------------------------------------------------------------
On 30 Dec 2005 at 12:15, Raymond O'Donnell wrote: > its godd & bad points. Whoops!......you know what I meant.... ------------------------------------------------------------- Raymond O'Donnell http://www.galwaycathedral.org/recitals rod@iol.ie Galway Cathedral Recitals -------------------------------------------------------------
On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote: > On 30 Dec 2005 at 9:36, Harry Jackson wrote: > > > PHPBB. I don't want to use PHPBB due to its complete lack of anything > > resembling security. > > Just curious - where do you get your info re PHPBB's "complete lack > of anythng resembling security"? I've been considering using that > software, and would like a balanced opinion of its godd & bad points. I used it once (2004) because it supported Postgres. It got hacked in under a month. I admit that this was a one off but having searched around the Internet for various bulletin board software there seem to be no end of problems with phpbb with regards security. I have even come across articles claiming that the phpbb team try not to publish all their exploits but rather blame PHIP [0] itself and they have a tendency to ignore certain exploits in any releases that are not current. The whole thing does not inspire any confidence in me and having been stung by the software once I think it would be foolhardy to give it annother shot. Perhaps everything I am reading is true perhaps its all just bad luck. Just out of interest try searching google for phpbb exploit I get a "WERE SORRY" page from google which is an attempt by google to prevent the proliferation of a particular worm, its bad when google step in ;) If you get results the first time then try the search a few times in succession. If you are lucky enough to get some search results you will notice that there are 821,000 pages in the search results. Compared to exploit vBulletin 330,000 exploit yabb 26000 exploit bbboard exploit 631 I know its hardly scientific and that phpbb and vbulleting are a lot more popular than the other two boards but I really cannot afford the time or the money that getting cracked costs and try to avoid it at all costs. Friendly Advice: If you do decided to run phpbb then make sure you chroot Apache properly, which is something you should be doing anyway particularly if you run any third part software. This will save you time and money in the long run if someone gets in[1]. Its also easier to backup a chrooted env so you can roll over [2] the cracked site after/if you catch them in the act. -- Harry http://www.hjackson.org http://www.uklug.co.uk [0] If PHP is so problematic with regards security then this would still cast some doubt as as to the teams ability since they have chosen an implimentation langauage that is severely flawed. [1] This is assuming its a typical remote command execution and not some other nefarious hack involving your database which may be outside the chroot or cross site scripting or .................. the list is endless [2] After fixing the hole.
On Dec 30, 2005, at 4:36 AM, Harry Jackson wrote: > What would people recommendation be for Bulleting Board software. I am > after something that uses PostgreSQL and has similar features of > PHPBB. I don't want to use PHPBB due to its complete lack of anything > resembling security. I'm not familiar enough with PHBB to assess how it compares, but Drupal has a forum module and it works with PostgreSQL. John DeSoi, Ph.D. http://pgedit.com/ Power Tools for PostgreSQL
>> What would people recommendation be for Bulleting Board software. I am >> after something that uses PostgreSQL and has similar features of >> PHPBB. I don't want to use PHPBB due to its complete lack of anything >> resembling security. > > > I'm not familiar enough with PHBB to assess how it compares, but Drupal > has a forum module and it works with PostgreSQL. PHPBB is not that bad, and they release security fixes etc in a fairly timely manner, and it has full support for Postgresql. I run mine from behind a firewall and have never had problems with security. Your milage may vary on how you set it up. -- Tony Caduto AM Software Design Home of PG Lightning Admin for Postgresql http://www.amsoftwaredesign.com
On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
QUOTE:
I used it once (2004) because it supported Postgres. It got hacked in
under a month. I admit that this was a one off but having searched
around the Internet for various bulletin board software there seem to
be no end of problems with phpbb with regards security. I have even
come across articles claiming that the phpbb team try not to publish
all their exploits but rather blame PHIP [0] itself and they have a
tendency to ignore certain exploits in any releases that are not
current.
UNQUOTE:
That's hardly fair. PostgreSQL also ignores security issues on older versions. If you're running 8.0.0 and a security fix came out in 8.0.1, it's your fault, not the PGDG folks.
Also, as a big proponent of PHP, I have to admit that it's quite easy to write insecure software with it. I've had nothing but good luck with PHPBB. My main complaint is that no one in the PHPBB community seems to have ever heard of diff and patch, so all the hacks for it need to be applied by hand, one line at a time.
On Friday 30 December 2005 13:03, Scott Marlowe wrote:
> On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote:
>
> QUOTE:
> and they have a
> tendency to ignore certain exploits in any releases that are not
> current.
> UNQUOTE:
>
> That's hardly fair. PostgreSQL also ignores security issues on older
> versions. If you're running 8.0.0 and a security fix came out in 8.0.1,
> it's your fault, not the PGDG folks.
>
I think he is saying that if an exploit is found in pg 8.1.x, there policy is
to never backpatch to 8.0.x. If so that's a fair criticism (to the extent
that upgrades are cumbersome with their software)
Just to be clear, I am not validating his statement, just wondering if you
misinterpreted it. I've certainly heard more bad than good about phpbb, but
I've no first hand experience and it could be a wonderful product. (From this
thread it just sounds like they need a little more structure in the project)
--
Robert Treat
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
On 12/30/05, Scott Marlowe <smarlowe@g2switchworks.com> wrote: > > > On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote: > > QUOTE: > I used it once (2004) because it supported Postgres. It got hacked in > under a month. I admit that this was a one off but having searched > around the Internet for various bulletin board software there seem to > be no end of problems with phpbb with regards security. I have even > come across articles claiming that the phpbb team try not to publish > all their exploits but rather blame PHIP [0] itself and they have a > tendency to ignore certain exploits in any releases that are not > current. > UNQUOTE: > > That's hardly fair. PostgreSQL also ignores security issues on older > versions. If you're running 8.0.0 and a security fix came out in 8.0.1, > it's your fault, not the PGDG folks. Actually a security hole being found is not really anyones fault [0] it just happens and then something has to be done by the user who has the software on his system. Would the people on here ignore requests for help regardless of version. I am sure if the case was stong enough someone would give you a hand, perhaps they wouldn't but I am not reading on blogs how the PostgreSQL community ignores security issues or that PostgreSQL has a particular problem with security. In fact searching for Postgres exploit returnred 206000 results on google which considering PostgreSQL is a great deal older than phpbb is not bad now is it. > Also, as a big proponent of PHP, I have to admit that it's quite easy to > write insecure software with it. Its quite easy to write insecure software period. Choice of language with regards security is an almost pointless discussion. See point [0]. Its the ability of the surgeon in the majority of cases that makes for a successful operation not his choice of scalpel [1]. > I've had nothing but good luck with PHPBB. And I am truly happy for you. I would have loved phpBB to have been my silver bullet. I may yet need to use it again because I can find nothing else that will do the job. For all its faults its most certainly filling a gap in the market. I don't want to use phpBB and I will need to be dragged kicking and screaming to drink from that well again but were needs must, better the devil you know. -- Harry http://www.hjackson.org http://www.uklug.co.uk [0] Actually we could blame the software developers for the bugs but that would be like blaming a surgeon for stitches. However, this does not give the surgeon immunnity if he performs the operation with as little apptitude as a drunk. [1] Although choosing a chain saw for open heart surgery may put him in the "limited ability" category.
----- Original Message ----- From: "Harry Jackson" <harryjackson@gmail.com> To: <pgsql-general@postgresql.org> Sent: Saturday, December 31, 2005 12:39 AM Subject: Re: [GENERAL] Forum Software > On 12/30/05, Scott Marlowe <smarlowe@g2switchworks.com> wrote: >> Also, as a big proponent of PHP, I have to admit that it's quite easy >> to >> write insecure software with it. > > Its quite easy to write insecure software period. Choice of language > with regards security is an almost pointless discussion. See point > [0]. Its the ability of the surgeon in the majority of cases that > makes for a successful operation not his choice of scalpel [1]. > >> I've had nothing but good luck with PHPBB. > > And I am truly happy for you. I would have loved phpBB to have been my > silver bullet. I may yet need to use it again because I can find > nothing else that will do the job. For all its faults its most > certainly filling a gap in the market. So far I've been quite happy with phpbb as well. There are some PHP security issues that of course every PHP-using administrator can modify if they choose so, like register_globals etc. Then of course the phpbb installation instructions claiming you have to chmod 777 whole phpbb directory tree aren't true and actually judicious use of other access permissions is even more recommended - I use 770 as my base permissions and then tighten the permissions for certain files and directories further. The security patches seem to come in fairly good intervals, and are pretty easy to apply, unless you're running a heavily customized board. Of course keeping the whole site secure means following the Apache, PHP, Postgres and OS updates which can be painless or painful depending on OS of your choice. Phpbb as such can't be held responsible IMO in cases where cracker uses a security hole located in any underlying component. Just out of curiosity, was only the bulletin board cracked or was your whole system compromised? -Reko
On Fri, 2005-12-30 at 16:39, Harry Jackson wrote: > On 12/30/05, Scott Marlowe <smarlowe@g2switchworks.com> wrote: > > > > > > On 12/30/05, Raymond O'Donnell <rod@iol.ie> wrote: > > > > QUOTE: > > I used it once (2004) because it supported Postgres. It got hacked in > > under a month. I admit that this was a one off but having searched > > around the Internet for various bulletin board software there seem to > > be no end of problems with phpbb with regards security. I have even > > come across articles claiming that the phpbb team try not to publish > > all their exploits but rather blame PHIP [0] itself and they have a > > tendency to ignore certain exploits in any releases that are not > > current. > > UNQUOTE: > > > > That's hardly fair. PostgreSQL also ignores security issues on older > > versions. If you're running 8.0.0 and a security fix came out in 8.0.1, > > it's your fault, not the PGDG folks. > > Actually a security hole being found is not really anyones fault [0] > it just happens and then something has to be done by the user who has > the software on his system. Let me clarify. If you're running 8.0.0 and there's a security fix out for 8.0.1 and you get bitten by said security bug, it IS YOUR fault, because you didn't upgrade. > Would the people on here ignore requests for help regardless of > version. I am sure if the case was stong enough someone would give you > a hand, perhaps they wouldn't but I am not reading on blogs how the Actually, if you're running an old enough version, that's exactly what will happen. We have a fairly large and capable community, but no one's gonna put a lot of effort into fixing / working around a security bug from V 6.5.3 or 7.1 or something like that. PHPBB chooses to maintain, security-wise, the latest main branch, which is quite common for smaller, fast moving projects, and completely understandable. Rather one well maintained, quickly fixed branch than any number that aren't. Of course, we'd all like to see all old versions supported / maintained. And a pony too. But ya get what ya get. And as far as updates to phpbb go, they're pretty timely, if only on the latest main branch. > > I've had nothing but good luck with PHPBB. > > And I am truly happy for you. I would have loved phpBB to have been my > silver bullet. I may yet need to use it again because I can find > nothing else that will do the job. For all its faults its most > certainly filling a gap in the market. > > I don't want to use phpBB and I will need to be dragged kicking and > screaming to drink from that well again but were needs must, better > the devil you know. Have you looked at agora? Not as many fancy features, but it is a nicely threaded message system. For many people the extra features, like attachments and such, that phpBB have make it a must have, but I found agora to be a much nicer bulletin board, in terms of how it displays threads and all.