Re: phpBB Ban

[Joseph Miller <joseph () tidetamerboatlifts com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recognize that most software applications have bugs in them.   The problem 
that I have with phpBB is that it is not just "software bugs", but a 
demonstrated lack of understanding of certain security concepts, particularly 
input validation and escaping for a SQL transaction.  Because it is a web 
program, a good hacker with a search engine bot can find thousands of 
vulnerable scripts in a matter of minutes and use them for what he chooses.  
I suggest that sysadmins look for alternative solutions unless they (or 
someone they trust in the security community) can vouch for the relative 
strength of the scripts' security.

As to the question about Windows, that is a question that you should really 
not ask me.  IMHO I think that for many small and large businesses, Windows 
is not the best solution for a server application.  Medium businesses can 
find convenience and comfort in the cost and familiarity of Windows servers, 
but I do think that just about any organization should look into alternative 
solutions.  Security comes in many forms and more and more organizations are 
looking into open source applications so that they can have the *security of 
mind* that some third party company doesn't have their data by the balls with 
a proprietary format.

- -Joseph Miller

On Wednesday 20 April 2005 11:49 am, Ole Martin Eide wrote:
> Joseph Miller wrote:
> > The reason that I think that a ban would be important for a project such
> > as phpBB is because of its wide use.  One attacker could spend a single
> > day and attack hundreds or even thousands of websites that have pbpBB
> > using a single script and a web search engine.  This type of wide
> > deployment makes this program more of a risk than just a problem with one
> > or two servers.  This type of problem becomes global.
>
> The use of 'Windows' is also widespread. Over the years it has been
> patched more times than a human can count. Does this mean administrators
> should enforce the use of other operating systems?
>
> To make a sharp statement; most web scripts around has some kind of bug,
> at some point, that will compromise the site and/or even more.
>
> My view is that there will always be bugs, and people to find them and
> use them. So the only thing we can do is to prepare for it to happen.
> Thank god for mod_sec :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCZr/PmXZROF+EADURAlRQAJ4wLWnpU00njqAqOfRLRJ456dW5AACfYAqE
RV2g9t6Hy/RSgsW1B0Y8fAM=
=Wp9N
-----END PGP SIGNATURE-----