Re: phpBB Ban

[Mark Susol Ultimate Creative Media <msusol () ultimatecreativemedia com>]

Invalid characters removed from From: Mark Susol | Ultimate Creative Media

> Joseph Miller wrote:
> > The reason that I think that a ban would be important for a project such as
> > phpBB is because of its wide use.  One attacker could spend a single day and
> > attack hundreds or even thousands of websites that have pbpBB using a single
> > script and a web search engine.  This type of wide deployment makes this
> > program more of a risk than just a problem with one or two servers.  This
> > type of problem becomes global.
>
> The use of 'Windows' is also widespread. Over the years it has been
> patched more times than a human can count. Does this mean administrators
> should enforce the use of other operating systems?
>
> To make a sharp statement; most web scripts around has some kind of bug,
> at some point, that will compromise the site and/or even more.
>
> My view is that there will always be bugs, and people to find them and
> use them. So the only thing we can do is to prepare for it to happen.
> Thank god for mod_sec :)

phpBB is OpenSource software, so the source is available to all including
white hatters and black hatters. I think the problem we are seeing with
widespread attacks on phpBB etc. is an "unintended consequence" of the
OpenSource concept and googling.

However the lack of sysadmin knowledge by those implementing OpenSource
software is also to blame. If you take the STOCK install of any of these
projects and then don't follow up on keeping it "patched" as well as the
underlying server and the technologies that run the software, you will be
attacked and attacked often.

I try to write from scratch any scripts I need so the source isn't out there
to "study" and then easily found using a google search. But to write my own
forum software just isn't in my current scope of freetime. You have to ask
though with all the forum software out there, who might have the most to
gain by attacks on phpBB, maybe another competitor who has a licensing fee
to use it? Hmmm.....

I saw the beginning of this problem with things as simple as "formmail.pl"
.. People never thought to CHANGE THE NAME of this file and put in a
DISALLOW statement in a robots.txt file as a first measure to stop people
from finding the script file. The error logs on my clients websites are
filled with many attempts to find files such as formmail.pl..almost as much
as favicon.ico missing.

Mark Susol