[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security of phpBB

To: Moritz Naumann <info@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Security of phpBB
From: Daniel <deeper@xxxxxxxxx>
Date: Mon, 20 Jun 2005 14:14:12 +0100

Tom,

It pretty much breaks down to 3 questions:

1: will it be web facing at all (or are we looking at an internal server only)
2: Is this for company confidential information, or general chatter
3: What other products have you looked at?

To be honest, i'd recommend Phorum http://phorum.org/ as its far more
secure than phpBB (which incidentally i now use to teach people how
not to produce web applications)

Also, by adding another layer like mod_security,
http://modsecurity.org also helps

Daniel
OWASP.org

On 6/20/05, Moritz Naumann <info@xxxxxxxxxxxxxxxxxx> wrote:
> Tom Edwards wrote:
> > I am new to this list and to security in general so please excuse my
> > question. A friend told me that our forum software phpBB is not very
> > secure and told me about this. Where can I get information on that? What
> > must I do to make it secure?
> 
> Hi Tom,
> 
> many people are concerned about known and unknown security issues
> related to phpBB. There have been a lot of security issues with it in
> the past, have a look at
>   http://www.phpbb.com/security/final_reports.php
> (or search the FD archives) for some of the latest.
> 
> The assumption many people make is that if so many vulnerabilities are
> constantly discovered on this software, it can be assumed that there
> still are many left and this application must thus be considered
> insecure in general.
> 
> While I'm not saying this is a correct conclusion (and I'm also not
> saying it was not), much less security issues have been discovered on
> other wide-spread bulletin board softwares in the same time (which might
> also be related to other factors such as their licensing terms and
> pricing which make a comparison difficult, though).
> 
> Hope this helps a bit,
> Moritz
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Security of phpBB
  - From: Tom Edwards

References:
- [Full-disclosure] Security of phpBB
  - From: Tom Edwards
- Re: [Full-disclosure] Security of phpBB
  - From: Moritz Naumann

Prev by Date: Re: [Full-disclosure] Security of suphp
Next by Date: Re: [Full-disclosure] Security of suphp
Previous by thread: Re: [Full-disclosure] Security of phpBB
Next by thread: Re: [Full-disclosure] Security of phpBB
Index(es):
- Date
- Thread