lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1683814a0506200614301fb5e1@mail.gmail.com>
Date: Mon Jun 20 14:14:21 2005
From: deeper at gmail.com (Daniel)
Subject: Security of phpBB

Tom,

It pretty much breaks down to 3 questions:

1: will it be web facing at all (or are we looking at an internal server only)
2: Is this for company confidential information, or general chatter
3: What other products have you looked at?

To be honest, i'd recommend Phorum http://phorum.org/ as its far more
secure than phpBB (which incidentally i now use to teach people how
not to produce web applications)

Also, by adding another layer like mod_security,
http://modsecurity.org also helps

Daniel
OWASP.org

On 6/20/05, Moritz Naumann <info@...itz-naumann.com> wrote:
> Tom Edwards wrote:
> > I am new to this list and to security in general so please excuse my
> > question. A friend told me that our forum software phpBB is not very
> > secure and told me about this. Where can I get information on that? What
> > must I do to make it secure?
> 
> Hi Tom,
> 
> many people are concerned about known and unknown security issues
> related to phpBB. There have been a lot of security issues with it in
> the past, have a look at
>   http://www.phpbb.com/security/final_reports.php
> (or search the FD archives) for some of the latest.
> 
> The assumption many people make is that if so many vulnerabilities are
> constantly discovered on this software, it can be assumed that there
> still are many left and this application must thus be considered
> insecure in general.
> 
> While I'm not saying this is a correct conclusion (and I'm also not
> saying it was not), much less security issues have been discovered on
> other wide-spread bulletin board softwares in the same time (which might
> also be related to other factors such as their licensing terms and
> pricing which make a comparison difficult, though).
> 
> Hope this helps a bit,
> Moritz
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ