WebApp Sec mailing list archives
Re: phpBB Ban
From: Mark Susol Ultimate Creative Media <msusol () ultimatecreativemedia com>
Date: Wed, 20 Apr 2005 16:52:27 -0400
Invalid characters removed from From: Mark Susol | Ultimate Creative Media
Joseph Miller wrote:The reason that I think that a ban would be important for a project such as phpBB is because of its wide use. One attacker could spend a single day and attack hundreds or even thousands of websites that have pbpBB using a single script and a web search engine. This type of wide deployment makes this program more of a risk than just a problem with one or two servers. This type of problem becomes global.The use of 'Windows' is also widespread. Over the years it has been patched more times than a human can count. Does this mean administrators should enforce the use of other operating systems? To make a sharp statement; most web scripts around has some kind of bug, at some point, that will compromise the site and/or even more. My view is that there will always be bugs, and people to find them and use them. So the only thing we can do is to prepare for it to happen. Thank god for mod_sec :)
phpBB is OpenSource software, so the source is available to all including white hatters and black hatters. I think the problem we are seeing with widespread attacks on phpBB etc. is an "unintended consequence" of the OpenSource concept and googling. However the lack of sysadmin knowledge by those implementing OpenSource software is also to blame. If you take the STOCK install of any of these projects and then don't follow up on keeping it "patched" as well as the underlying server and the technologies that run the software, you will be attacked and attacked often. I try to write from scratch any scripts I need so the source isn't out there to "study" and then easily found using a google search. But to write my own forum software just isn't in my current scope of freetime. You have to ask though with all the forum software out there, who might have the most to gain by attacks on phpBB, maybe another competitor who has a licensing fee to use it? Hmmm..... I saw the beginning of this problem with things as simple as "formmail.pl" .. People never thought to CHANGE THE NAME of this file and put in a DISALLOW statement in a robots.txt file as a first measure to stop people from finding the script file. The error logs on my clients websites are filled with many attempts to find files such as formmail.pl..almost as much as favicon.ico missing. Mark Susol
Current thread:
- Re: phpBB Ban Ole Martin Eide (Apr 20)
- Re: phpBB Ban Joseph Miller (Apr 21)
- Re: phpBB Ban Mark Susol Ultimate Creative Media (Apr 21)