Re: phpBB Ban

[Daniel <deeper () gmail com>]

i think a ban is a bit heavy handed, i can think of many packages out 
there which dont have any security in place (but are still used)


On 18 Mar 2005, at 22:17, Joseph Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone else here started using phpBB?  After reading Andrew van der
> Stock's message, I was quite concerned about the security of phpBB.  I 
> had
> just installed this on one of my websites, and I was in the process of
> integrating it with my existing user database.  After viewing very 
> little of
> the code, I became extremely alarmed.  I immediately deleted the forum 
> from
> my website as this would be the perfect point of entry for an attacker
> looking for weak security code structure.  Their idea of a
> mysql_escape_string() equivalent is a str_replace() that replaces all 
> single
> quotes with two single quotes.  This project is open source so it has 
> no
> 'security through obscurity' even if that were the chosen method.  
> Other code
> did some htmlspecialchars() for escaping, then checked the particular
> variable against explicit constants.  How does this help?  Either it 
> matches
> or it doesn't, especially with single words that have no special 
> characters
> in them.  I am not a security expert nor do I purport to be one.  
> However,
> this code, IMHO, demonstrates a complete misunderstanding of security. 
>  I
> don't think that they don't care about security, I just don't think 
> that they
> understand it.
>
> I recommend a ban of this project from all websites that need any type 
> of
> security until a preliminary review can be done of the security 
> methods and
> approaches taken by the project.  Not that I'm volunteering for the 
> task, I'm
> probably just going to find another, more secure project.  Besides, I'm
> unquestionably unqualified to do a code review for someone else's code.
>
> - -Joseph Miller
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFCO1NymXZROF+EADURAgJ0AJwOXtDbzdXpQS68Y4GHj7IOYoVa5QCeLbpz
> mAQr39BD41Jjanv7KEDBpwk=
> =WEEu
> -----END PGP SIGNATURE-----