Full Disclosure mailing list archives

Re: Security of phpBB

From: Daniel <deeper () gmail com>
Date: Mon, 20 Jun 2005 14:14:12 +0100

Tom,

It pretty much breaks down to 3 questions:

1: will it be web facing at all (or are we looking at an internal server only)
2: Is this for company confidential information, or general chatter
3: What other products have you looked at?

To be honest, i'd recommend Phorum http://phorum.org/ as its far more
secure than phpBB (which incidentally i now use to teach people how
not to produce web applications)

Also, by adding another layer like mod_security,
http://modsecurity.org also helps

Daniel
OWASP.org

On 6/20/05, Moritz Naumann <info () moritz-naumann com> wrote:

Tom Edwards wrote:

I am new to this list and to security in general so please excuse my
question. A friend told me that our forum software phpBB is not very
secure and told me about this. Where can I get information on that? What
must I do to make it secure?


Hi Tom,

many people are concerned about known and unknown security issues
related to phpBB. There have been a lot of security issues with it in
the past, have a look at
  http://www.phpbb.com/security/final_reports.php
(or search the FD archives) for some of the latest.

The assumption many people make is that if so many vulnerabilities are
constantly discovered on this software, it can be assumed that there
still are many left and this application must thus be considered
insecure in general.

While I'm not saying this is a correct conclusion (and I'm also not
saying it was not), much less security issues have been discovered on
other wide-spread bulletin board softwares in the same time (which might
also be related to other factors such as their licensing terms and
pricing which make a comparison difficult, though).

Hope this helps a bit,
Moritz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Security of phpBB Tom Edwards (Jun 20)
- Re: Security of phpBB bugtraq (Jun 20)
- Re: Security of phpBB Moritz Naumann (Jun 20)
  - Re: Security of phpBB Daniel (Jun 20)
    - Re: Security of phpBB Tom Edwards (Jun 20)
- Re: Security of phpBB Aaron Horst (Jun 20)
- Re: Security of phpBB milw0rm Inc. (Jun 20)
  - Re: Security of phpBB nick johnson (Jun 21)
    - Re: Security of phpBB milw0rm Inc. (Jun 21)
    - Re: Security of phpBB nick johnson (Jun 21)
- <Possible follow-ups>
- Re: Security of phpBB nick johnson (Jun 20)