On 12/30/05, Scott Marlowe <smarlowe@xxxxxxxxxxxxxxxxx> wrote: > > > On 12/30/05, Raymond O'Donnell <rod@xxxxxx> wrote: > > QUOTE: > I used it once (2004) because it supported Postgres. It got hacked in > under a month. I admit that this was a one off but having searched > around the Internet for various bulletin board software there seem to > be no end of problems with phpbb with regards security. I have even > come across articles claiming that the phpbb team try not to publish > all their exploits but rather blame PHIP [0] itself and they have a > tendency to ignore certain exploits in any releases that are not > current. > UNQUOTE: > > That's hardly fair. PostgreSQL also ignores security issues on older > versions. If you're running 8.0.0 and a security fix came out in 8.0.1, > it's your fault, not the PGDG folks. Actually a security hole being found is not really anyones fault [0] it just happens and then something has to be done by the user who has the software on his system. Would the people on here ignore requests for help regardless of version. I am sure if the case was stong enough someone would give you a hand, perhaps they wouldn't but I am not reading on blogs how the PostgreSQL community ignores security issues or that PostgreSQL has a particular problem with security. In fact searching for Postgres exploit returnred 206000 results on google which considering PostgreSQL is a great deal older than phpbb is not bad now is it. > Also, as a big proponent of PHP, I have to admit that it's quite easy to > write insecure software with it. Its quite easy to write insecure software period. Choice of language with regards security is an almost pointless discussion. See point [0]. Its the ability of the surgeon in the majority of cases that makes for a successful operation not his choice of scalpel [1]. > I've had nothing but good luck with PHPBB. And I am truly happy for you. I would have loved phpBB to have been my silver bullet. I may yet need to use it again because I can find nothing else that will do the job. For all its faults its most certainly filling a gap in the market. I don't want to use phpBB and I will need to be dragged kicking and screaming to drink from that well again but were needs must, better the devil you know. -- Harry http://www.hjackson.org http://www.uklug.co.uk [0] Actually we could blame the software developers for the bugs but that would be like blaming a surgeon for stitches. However, this does not give the surgeon immunnity if he performs the operation with as little apptitude as a drunk. [1] Although choosing a chain saw for open heart surgery may put him in the "limited ability" category.
