[oclug]Wondering about Web Message Board Systems
i.wormsbecker at uleth.ca
Tue Nov 5 12:16:54 EST 2002
On November 5, 2002 10:38 am, David F. Skoll wrote:
> On Tue, 5 Nov 2002, Ian Wormsbecker wrote:
> > Yep, just like any other software you run on your system, you must
> > keep it up to date.
> Unfortunately, in my experience, PHP-based bulletin-board software has
> more than its share of problems, just like wu-ftpd. For some reason,
> a lot of people find it hard to write secure PHP apps.
I had a nice response all written up to defend phpBB and then X crashed
(stupid proprietary nvidia drivers, anyone know what is up with these?) and
it is all gone.
Anyway, my defense went along the lines of "all the holes found in phpBB have
been fixed in version 2.0.3". There were 3 major holes I found on a bugtraq
search for version 2.0.x of the software. Using version 1.x of phpBB has not
been recommended for a long time. All of the holes in 2.0.x are fixed up to
Many people use phpBB in their projects (such as PostNuke I am told) and have
not updated to the current version of phpBB, so double check that the
software you use which uses phpBB is current.
I agree with many points made by Bill S. PhpBB 2.x was created with security
as one of its objectives, and they seem to have done a good job so far. Many
many open source projects have been created as an opportunity to learn a new
programming language or try a new technique. Often these programs end up
being insecure and have to have revamping in order to be trusted. The
opposite happens in many cases as well. OpenSSH was created to be a secure
alternative to telnet. There have been quite a few holes in OpenSSH, but I
have yet to hear anyone condemning it and switching back to telnet. These are
very experienced software developers who are well versed in security issues
and they still make mistakes.
Let's just move on with life and help out any party that makes open source
software in an effort to make it the most secure, stable, reliable, and Free
product that it can be.
More information about the OCLUG