Re: phpBB Ban

[Joseph Miller <joseph () tidetamerboatlifts com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The reason that I think that a ban would be important for a project such as 
phpBB is because of its wide use.  One attacker could spend a single day and 
attack hundreds or even thousands of websites that have pbpBB using a single 
script and a web search engine.  This type of wide deployment makes this 
program more of a risk than just a problem with one or two servers.  This 
type of problem becomes global.

Because there are so many people who are currently using this project, because 
it is so simple for the end-user, I don't think that we can scrap the project 
altogether.  Unfortunately, however, we administrators cannot in good 
conscience begin to use a project with such well-known flaws, and should a 
system become compromised because of an installation of pbpBB, we can only 
fault ourselves and take the responsibility for the fall.  This is how an 
organization's administration would likely view the situation, and a court 
would probably lean in the same direction.  It would be disastrous that an 
administrator knowingly opened a system up for such exploitation.

- -Joseph Miller

On Monday 21 March 2005 4:20 am, Daniel wrote:
> i think a ban is a bit heavy handed, i can think of many packages out
> there which dont have any security in place (but are still used)
>
> On 18 Mar 2005, at 22:17, Joseph Miller wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Has anyone else here started using phpBB?  After reading Andrew van der
> > Stock's message, I was quite concerned about the security of phpBB.  I
> > had
> > just installed this on one of my websites, and I was in the process of
> > integrating it with my existing user database.  After viewing very
> > little of
> > the code, I became extremely alarmed.  I immediately deleted the forum
> > from
> > my website as this would be the perfect point of entry for an attacker
> > looking for weak security code structure.  Their idea of a
> > mysql_escape_string() equivalent is a str_replace() that replaces all
> > single
> > quotes with two single quotes.  This project is open source so it has
> > no
> > 'security through obscurity' even if that were the chosen method.
> > Other code
> > did some htmlspecialchars() for escaping, then checked the particular
> > variable against explicit constants.  How does this help?  Either it
> > matches
> > or it doesn't, especially with single words that have no special
> > characters
> > in them.  I am not a security expert nor do I purport to be one.
> > However,
> > this code, IMHO, demonstrates a complete misunderstanding of security.
> >  I
> > don't think that they don't care about security, I just don't think
> > that they
> > understand it.
> >
> > I recommend a ban of this project from all websites that need any type
> > of
> > security until a preliminary review can be done of the security
> > methods and
> > approaches taken by the project.  Not that I'm volunteering for the
> > task, I'm
> > probably just going to find another, more secure project.  Besides, I'm
> > unquestionably unqualified to do a code review for someone else's code.
> >
> > - -Joseph Miller
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (GNU/Linux)
> >
> > iD8DBQFCO1NymXZROF+EADURAgJ0AJwOXtDbzdXpQS68Y4GHj7IOYoVa5QCeLbpz
> > mAQr39BD41Jjanv7KEDBpwk=
> > =WEEu
> > -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCPtk/mXZROF+EADURAn17AJ9ay4bEi+NH/2LV8FX+2YGthah4JACfVvqm
j8kDL+JOKibL+zXCFAPZbj4=
=/87H
-----END PGP SIGNATURE-----