WebApp Sec mailing list archives
Re: phpBB Ban
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Wed, 20 Apr 2005 16:47:09 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I recognize that most software applications have bugs in them. The problem that I have with phpBB is that it is not just "software bugs", but a demonstrated lack of understanding of certain security concepts, particularly input validation and escaping for a SQL transaction. Because it is a web program, a good hacker with a search engine bot can find thousands of vulnerable scripts in a matter of minutes and use them for what he chooses. I suggest that sysadmins look for alternative solutions unless they (or someone they trust in the security community) can vouch for the relative strength of the scripts' security. As to the question about Windows, that is a question that you should really not ask me. IMHO I think that for many small and large businesses, Windows is not the best solution for a server application. Medium businesses can find convenience and comfort in the cost and familiarity of Windows servers, but I do think that just about any organization should look into alternative solutions. Security comes in many forms and more and more organizations are looking into open source applications so that they can have the *security of mind* that some third party company doesn't have their data by the balls with a proprietary format. - -Joseph Miller On Wednesday 20 April 2005 11:49 am, Ole Martin Eide wrote:
Joseph Miller wrote:The reason that I think that a ban would be important for a project such as phpBB is because of its wide use. One attacker could spend a single day and attack hundreds or even thousands of websites that have pbpBB using a single script and a web search engine. This type of wide deployment makes this program more of a risk than just a problem with one or two servers. This type of problem becomes global.The use of 'Windows' is also widespread. Over the years it has been patched more times than a human can count. Does this mean administrators should enforce the use of other operating systems? To make a sharp statement; most web scripts around has some kind of bug, at some point, that will compromise the site and/or even more. My view is that there will always be bugs, and people to find them and use them. So the only thing we can do is to prepare for it to happen. Thank god for mod_sec :)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCZr/PmXZROF+EADURAlRQAJ4wLWnpU00njqAqOfRLRJ456dW5AACfYAqE RV2g9t6Hy/RSgsW1B0Y8fAM= =Wp9N -----END PGP SIGNATURE-----
Current thread:
- Re: phpBB Ban Ole Martin Eide (Apr 20)
- Re: phpBB Ban Joseph Miller (Apr 21)
- Re: phpBB Ban Mark Susol Ultimate Creative Media (Apr 21)