It seems web hosting companies are finally coming to grips with something most security experts have known for quite some time, phpBB is inherently insecure. According to Netcraft
some are taking the steps to prevent further exploitation via this application by banning its usage on their servers.
As per usual phpBB developer's response, they are denying blame and claim such moves are unwarranted, but given their security record during the past 6 months alone this is hardly surprising. Not only are new issues being found, because the developers can't seem to do an security audit, but new versions re-introduce bugs (2.0.15 re-introduced the flaw exploited by Santy worm) that have previously been solved.
I hope other hosting providers will take notice and adopt the same strategy, not only for phpBB2 but for any application with a consistent history of security faults for which the developers do not wish to take responsiblity for. As well as failing to take the time to conduct an extensive security audit of their code.
Web hosts are banning phpbb. Are you one of them?
Web hosts are banning phpbb. Are you one of them? Security issues have been in phpbb for so long and new once discovered like every day. I never recommended phpbb as a forum software. More like IPB (Invision Power Board).
I definitely agree. I am in the process of getting phpBB off my servers and switching to FUD Forum. phpBB is simply old outdated coding that needs to be overhauled, pretty much started over... and FAST.
I believe that phpBB looks better than any other forum, and I think this is the primary reason behind its adoption. The look and feel of software affects a user's perception of its quality, and this belief is supported by usability experts and focus groups. Microsoft has been exploiting this characteristic of human nature for years.
Thus, I think it would be worth the effort to take something like FUDforum and make it pretty. Does the PHP community have any excellent designers?
The point about presentation is a good one, what you are saying is without a doubt the reasoning behind why many people chose it. But this is something that needs to change, if we are to avoid seeing things like Santy and its successors.
While I did focus on phpBB, it is not the only application frequently hammered by security faults, which judging by the disclosure a simple security audit would've found.
No developer or group of developers is infallible, people make mistakes, and sometimes those translate into logic bugs, sometimes into security issues. The thing that drives me mad (hence this rant) is the fact that the same apps get compromises with the same problem over and over again. This to me, says that the developers simply don't care, preferring a quick fix rather then taking the time to come up with a proper solution.
Simply stunning. I suggest we tell HP, Toshiba, IBM, eMachines and so on to stop putting Windows on all their PCs and provide discs for some *Nix variant?
My point is: all programs have their weaknesses, and like the paid applications (vB, IPB, etc), they hide them. Yes, that's right, not many get out to the public because any trace of them are removed quickly.
phpBB is a widely used application and as such, people with free time will find ways through the coding. I don't know if you've seen some of the other exploits affecting PHP itself (XMLRPC), but again, if you don't like it, go use something else.
...oh and a final note: most web hosts fail to upgrade their server software: I've been a victim of that with a number of previous hosts can't be bothered to update their system software and wonder why everyone's account is suspended until they find out -- hey, the admin screwed up.
Take into account all the variables before blaming the software. People err and will err for years to come.
Sure, I'd recommend Mac OSX over Windows anyday, not only is it more secure but it's UI is far better too. When it becomes available on x86, unless Apple makes it very hard, I'd expect mass windows -> OSX migrations.
You are right, people make mistakes, but what differentiates good developers from the bad is how are mistakes are handled. If a developer takes responsibility and fixes the problem and also reviews their code for similar problems, in my mind they act responsibly. However, if they choose to delegate blame and don't learn from their mistakes...
I would simply agree with this. Although I really do not agree with the above users post. PHPBB security issues are more frequently found and not updated for sometime leaving the bulletinboard exposed before it is patched.
Yes this is with most software but what you do not find is that most of the security problems related to phpbb hit the wild on how to execute the flaw. Not only is this a concern but more among the lines of unwillingness to really refactor the code where a problem exists and flopping some software together to make it work.
PHPBB really follows no design pattern of how the code actually runs and it is a pretty jumbled mess... to where I consider it bloatware. It has expanded beyond its capability and the developers look more to what new feature can I add instead of what can I refactor to harden up phpbb.