WebApp Sec mailing list archives
Re: phpBB Ban
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Mon, 21 Mar 2005 09:24:58 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The reason that I think that a ban would be important for a project such as phpBB is because of its wide use. One attacker could spend a single day and attack hundreds or even thousands of websites that have pbpBB using a single script and a web search engine. This type of wide deployment makes this program more of a risk than just a problem with one or two servers. This type of problem becomes global. Because there are so many people who are currently using this project, because it is so simple for the end-user, I don't think that we can scrap the project altogether. Unfortunately, however, we administrators cannot in good conscience begin to use a project with such well-known flaws, and should a system become compromised because of an installation of pbpBB, we can only fault ourselves and take the responsibility for the fall. This is how an organization's administration would likely view the situation, and a court would probably lean in the same direction. It would be disastrous that an administrator knowingly opened a system up for such exploitation. - -Joseph Miller On Monday 21 March 2005 4:20 am, Daniel wrote:
i think a ban is a bit heavy handed, i can think of many packages out there which dont have any security in place (but are still used) On 18 Mar 2005, at 22:17, Joseph Miller wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone else here started using phpBB? After reading Andrew van der Stock's message, I was quite concerned about the security of phpBB. I had just installed this on one of my websites, and I was in the process of integrating it with my existing user database. After viewing very little of the code, I became extremely alarmed. I immediately deleted the forum from my website as this would be the perfect point of entry for an attacker looking for weak security code structure. Their idea of a mysql_escape_string() equivalent is a str_replace() that replaces all single quotes with two single quotes. This project is open source so it has no 'security through obscurity' even if that were the chosen method. Other code did some htmlspecialchars() for escaping, then checked the particular variable against explicit constants. How does this help? Either it matches or it doesn't, especially with single words that have no special characters in them. I am not a security expert nor do I purport to be one. However, this code, IMHO, demonstrates a complete misunderstanding of security. I don't think that they don't care about security, I just don't think that they understand it. I recommend a ban of this project from all websites that need any type of security until a preliminary review can be done of the security methods and approaches taken by the project. Not that I'm volunteering for the task, I'm probably just going to find another, more secure project. Besides, I'm unquestionably unqualified to do a code review for someone else's code. - -Joseph Miller -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCO1NymXZROF+EADURAgJ0AJwOXtDbzdXpQS68Y4GHj7IOYoVa5QCeLbpz mAQr39BD41Jjanv7KEDBpwk= =WEEu -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCPtk/mXZROF+EADURAn17AJ9ay4bEi+NH/2LV8FX+2YGthah4JACfVvqm j8kDL+JOKibL+zXCFAPZbj4= =/87H -----END PGP SIGNATURE-----
Current thread:
- phpBB Ban Joseph Miller (Mar 20)
- Re: phpBB Ban Daniel (Mar 22)
- Re: phpBB Ban Joseph Miller (Mar 22)
- Re: phpBB Ban Daniel (Mar 22)