On 12/30/05, Raymond O'Donnell <rod@xxxxxx> wrote: > On 30 Dec 2005 at 9:36, Harry Jackson wrote: > > > PHPBB. I don't want to use PHPBB due to its complete lack of anything > > resembling security. > > Just curious - where do you get your info re PHPBB's "complete lack > of anythng resembling security"? I've been considering using that > software, and would like a balanced opinion of its godd & bad points. I used it once (2004) because it supported Postgres. It got hacked in under a month. I admit that this was a one off but having searched around the Internet for various bulletin board software there seem to be no end of problems with phpbb with regards security. I have even come across articles claiming that the phpbb team try not to publish all their exploits but rather blame PHIP [0] itself and they have a tendency to ignore certain exploits in any releases that are not current. The whole thing does not inspire any confidence in me and having been stung by the software once I think it would be foolhardy to give it annother shot. Perhaps everything I am reading is true perhaps its all just bad luck. Just out of interest try searching google for phpbb exploit I get a "WERE SORRY" page from google which is an attempt by google to prevent the proliferation of a particular worm, its bad when google step in ;) If you get results the first time then try the search a few times in succession. If you are lucky enough to get some search results you will notice that there are 821,000 pages in the search results. Compared to exploit vBulletin 330,000 exploit yabb 26000 exploit bbboard exploit 631 I know its hardly scientific and that phpbb and vbulleting are a lot more popular than the other two boards but I really cannot afford the time or the money that getting cracked costs and try to avoid it at all costs. Friendly Advice: If you do decided to run phpbb then make sure you chroot Apache properly, which is something you should be doing anyway particularly if you run any third part software. This will save you time and money in the long run if someone gets in[1]. Its also easier to backup a chrooted env so you can roll over [2] the cracked site after/if you catch them in the act. -- Harry http://www.hjackson.org http://www.uklug.co.uk [0] If PHP is so problematic with regards security then this would still cast some doubt as as to the teams ability since they have chosen an implimentation langauage that is severely flawed. [1] This is assuming its a typical remote command execution and not some other nefarious hack involving your database which may be outside the chroot or cross site scripting or .................. the list is endless [2] After fixing the hole.