----- Original Message -----
From: "Harry Jackson" <harryjackson@xxxxxxxxx>
To: <pgsql-general@xxxxxxxxxxxxxx>
Sent: Saturday, December 31, 2005 12:39 AM
Subject: Re: [GENERAL] Forum Software
On 12/30/05, Scott Marlowe <smarlowe@xxxxxxxxxxxxxxxxx> wrote:
Also, as a big proponent of PHP, I have to admit that it's quite easy
to
write insecure software with it.
Its quite easy to write insecure software period. Choice of language
with regards security is an almost pointless discussion. See point
[0]. Its the ability of the surgeon in the majority of cases that
makes for a successful operation not his choice of scalpel [1].
I've had nothing but good luck with PHPBB.
And I am truly happy for you. I would have loved phpBB to have been my
silver bullet. I may yet need to use it again because I can find
nothing else that will do the job. For all its faults its most
certainly filling a gap in the market.
So far I've been quite happy with phpbb as well. There are some PHP
security issues that of course every PHP-using administrator can modify
if they choose so, like register_globals etc. Then of course the phpbb
installation instructions claiming you have to chmod 777 whole phpbb
directory tree aren't true and actually judicious use of other access
permissions is even more recommended - I use 770 as my base permissions
and then tighten the permissions for certain files and directories
further.
The security patches seem to come in fairly good intervals, and are
pretty easy to apply, unless you're running a heavily customized board.
Of course keeping the whole site secure means following the Apache, PHP,
Postgres and OS updates which can be painless or painful depending on OS
of your choice. Phpbb as such can't be held responsible IMO in cases
where cracker uses a security hole located in any underlying component.
Just out of curiosity, was only the bulletin board cracked or was your
whole system compromised?
-Reko
