[oclug]Wondering about Web Message Board Systems

Ian Wormsbecker i.wormsbecker at uleth.ca
Tue Nov 5 12:16:54 EST 2002 

On November 5, 2002 10:38 am, David F. Skoll wrote:
> On Tue, 5 Nov 2002, Ian Wormsbecker wrote:
> > Yep, just like any other software you run on your system, you must
> > keep it up to date.
>
> Unfortunately, in my experience, PHP-based bulletin-board software has
> more than its share of problems, just like wu-ftpd.  For some reason,
> a lot of people find it hard to write secure PHP apps.


I had a nice response all written up to defend phpBB and then X crashed 
(stupid proprietary nvidia drivers, anyone know what is up with these?) and 
it is all gone.

Anyway, my defense went along the lines of "all the holes found in phpBB have 
been fixed in version 2.0.3". There were 3 major holes I found on a bugtraq 
search for version 2.0.x of the software. Using version 1.x of phpBB has not 
been recommended for a long time. All of the holes in 2.0.x are fixed up to 
this point.

Many people use phpBB in their projects (such as PostNuke I am told) and have 
not updated to the current version of phpBB, so double check that the 
software you use which uses phpBB is current.

I agree with many points made by Bill S. PhpBB 2.x was created with security 
as one of its objectives, and they seem to have done a good job so far. Many 
many open source projects have been created as an opportunity to learn a new 
programming language or try a new technique. Often these programs end up 
being insecure and have to have revamping in order to be trusted. The 
opposite happens in many cases as well. OpenSSH was created to be a secure 
alternative to telnet. There have been quite a few holes in OpenSSH, but I 
have yet to hear anyone condemning it and switching back to telnet. These are 
very experienced software developers who are well versed in security issues 
and they still make mistakes.

Let's just move on with life and help out any party that makes open source 
software in an effort to make it the most secure, stable, reliable, and Free 
product that it can be.

Ian

More information about the OCLUG mailing list