Re: Security of phpBB

[Aaron Horst <anthrax101 () gmail com>]

I've done some work on phpBB security
(http://seclists.org/lists/fulldisclosure/2005/Feb/0547.html,
http://www.phpbb.com/security/final_reports.php?p=2) and would not
personally commend them on their security record and responses. I've
gone through the code base and there are probably no remaining obvious
issues, but I am sure that there are many subtle errors remaining. The
code is just not designed with security in mind.

I would also like to point out that they are liable to hide security
issues that they consider non serious, and this has bitten them before
(See highlight exploit. They ignored it for a while because they
didn't think it could be exploited.)

AnthraX101

On 6/20/05, Tom Edwards <topbeachwear () hotmail de> wrote:
> Hi,
>
> I am new to this list and to security in general so please excuse my
> question. A friend told me that our forum software phpBB is not very secure
> and told me about this. Where can I get information on that? What must I do
> to make it secure?
>
> Thank you.
>
> Kind regards,
> Tom Edwards, Manager
>
> _________________________________________________________________
> MSN Hotmail. Anmelden und gewinnen! http://www.msn.de/email/webbased/ Ihre
> Chance, eines von 10 T-Mobile MDA II zu gewinnen!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
AnthraX101 -- PGP Key ID# 0x4CD6D0BD
Fingerprint:
8161 D008 3DAB 86C1 2CA3  AEDE 0E21 DBDE 4CD6 D0BD
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/