phpBB10th February 2005, 4299 views Recently read on the phpsec mailing list that phpBB site has been hacked. Bummer. Not through any fault of their own apparently (well, not their software at least...). On their website there's currently a bit of a tirade about people getting up a hoohaa about it being the fault of phpBB and ISPs pulling phpBB from their servers. Back on the phpsec list, Marco Tabini (iirc) was defending them by saying that he thought their reputation was possibly undeserved, due to the complexity of the phpBB software.** Hmmm. Personally I feel that excuses shouldn't be made, and that reputations are (most of the time) built up for a reason. Just look at the hard facts for example: 
** This is from memory as Thunderbird recently started doing as it's told and deleting messages properly. Update: Ok, for all those who didn't quite "get" the joke, which appears to be pretty much everyone I talk to about it, the "hard facts" of 142,000 Google hits for "phpbb exploit" was just that, a joke. As you can now probably imagine, my sense of humour can be somewhat drier than your average desert... On a serious note though, regarding the security of phpBB, and for that matter, any other PHP application, in particular bulletin boards, what is the issue? Security really isn't that hard. Looking at the feature list of phpBB (for example), the only thing that requires some significant consideration would be the handling of HTML in posts. But at the end of the day, why allow HTML anyway? What do you really need to get across in a post that you can't do with bbcode? Maybe it's down to competition - other board software allows it so you have to add it to yours. I guess feature creep has a lot to answer for. Top 10 referrering pages
Rate this article
Link to meIf you use any of the code on this site (and if you don't I guess) or it makes your life easier, I'd appreciate a link - http://www.phpguru.org. Thanks!
Author: Marco
Posted: 12th February 2005 01:40 I think I wasn't particularly clear with my messsage. What I meant to say is that phpBB is a complex application that needs a security audit, rather than a rewrite (not that the rewrite is useless--it's just that a complete rewrite isn't going to get people off the old version any time soon; it'd be like the PHP team stopping development of PHP4 now that 5 is out--whereas there's plenty of bug fixing going on).
QuoteSo, I wasn't really try to justify what the phpBB people do or how they do it, but I don't think phpBB should be thrown down the drain either, since it is a nice application that lots of people find useful.
Author: Ilia
Posted: 13th February 2005 21:45 Security is one of those things that unless it is planned for from the onset, is next to impossible to properly implement once the application has been completed. This is even more so apparent with a large scale application.
QuoteA security audit may be quick means to find and eventually resolve some security issues, but it unlikely to solve all security problems.
Author: Chris Shiflett
Posted: 14th February 2005 16:32 I agree with Ilia. As with most things, the more complicated you make something, the easier it is to make a mistake. It doesn't matter how smart you are. To write a secure PHP application requires that it be designed with security in mind, otherwise you're destined to be constantly plugging security holes. I'm generally not a fan of rewrites, but there are some cases where it's the best step to take.
Quote> But at the end of the day, why allow HTML anyway? > What do you really need to get across in a post > that you can't do with bbcode? I've asked this before, and no one has ever been able to answer my question. How is bbcode any safer than HTML? What's the point of making up another markup language when a subset of an existing one works just fine? (This was discussed on Marco's security list a while back.)
Author: Ilia Alshanetsky
Posted: 14th February 2005 23:49 A properly valided/implemented BB code, should provide the user with means to customize the appearance of their messages without breaking the layout.
QuoteIf you permit HTML and allow even harmless things like <font> tags, people could abuse those to make size 50 multicolored blinking text, that would ruin the entire page. A Safe bb code tag may allow font/size/color changes, but not permit things like blinking, restrict colors and sizes to "safe" subset. And using fontsize determine proper word wrapping. For example if font size == 6, force wrap every 10 chars, but with fontsize 3 word wrap every 30 chars etc...
Author: Chris Shiflett
Posted: 15th February 2005 15:24 But how is that different from a subset of HTML? It's not like you'd want to allow everything, since that would be a XSS vulnerability.
Quote
Author: Noel Darlow
Posted: 16th February 2005 12:21 Back on topic, I help maintain a php forum which uses phpBB. The code is appalling and near impossible to work with. That is to a certain extent a matter of taste but the lack of good design (ie global spaghetti and no encapsulation) must contribute significantly to security issues. How can a new BBcode tag be unit tested, for example..?
QuoteThis is a very popular piece of software but it's also very badly written. Par for the course in php I guess. Where are all the enterprise-ready php apps?
Author: Richard Heyes
Posted: 17th February 2005 13:45 > Where are all the enterprise-ready php apps?
QuoteI doubt you'll find many (if any) Open Source "enterprise ready" PHP apps. I think the general standard of coding ability is probably too low, because of the low entry requirements of PHP. Not only that, but if you're going to make something that truly is "enterprise ready", then why not sell it and make some buckeroos ? |
phpguru.org
Free PHP, Javascript and C# code
Blog Categories[Index] [Popular]MeRecent comments
Articles
PHP5PHP4
Javascript
C# |
|
© 2005-2008 Copyright Richard Heyes
Comments
Posted: 10th February 2005 20:40
- Results 1 - 10 of about 117,000 for vbulletin exploit. (0.17 seconds)
- Results 1 - 10 of about 26,000 for ipb exploit. (0.37 seconds)
- Results 1 - 10 of about 61,900 for wbb exploit. (0.67 seconds)
- Results 1 - 10 of about 30,500 for ubb exploit. (0.32 seconds)
- Results 1 - 10 of about 7,630 for ikonboard exploit. (0.37 seconds)
such figures don't say much IMHO.