the board this is hosted on.

Talk about pretty much anything here, but DO NOT USE FOR SUPPORT.

Moderator: Supporters

Suriv

the board this is hosted on.

Post by Suriv »

I know im not known here, and so I guess my word doesn't have that much weight yet....but, I would like to point something out. PhpBB is a very, VERY, unsecure forum. I would suggest 1.3 of Invision Power Board....but this is just me. IPB is much eaiser to use and mod.


Just a suggestion
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

In case you haven't noticed, Unreal is a free product. If Invision is indeed a better product (which I don't know for a fact that it is), we still don't have the $200 to purchase a copy...
-- codemastr
DeadNotBuried
Posts: 44
Joined: Wed Mar 10, 2004 5:30 am
Location: irc.majestic-liaisons.com
Contact:

Post by DeadNotBuried »

personally i see more security announcements about Invision than i do about PhpBB and the PhpBB coders always get on any faults found real quick
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

Yeah I think I agree with that. After I read his post, I did some searching for Invision.

So far this year:

2004-03-20: Invision Power Board Search.PHP "st" SQL Injection Vulnerability
2004-03-10: Invision Power Board Multiple Cross-Site Scripting Vulnerabilities
2004-03-09: Invision Power Board Pop Parameter Cross-Site Scripting Vulnerability
2004-03-05: Invision Power Board Error Message Path Disclosure Vulnerability
2004-03-01: Invision Power Board Index.php Showtopic Cross-Site Scripting Vulnerability
2004-01-04: Invision Power Board Calendar.PHP SQL Injection Vulnerability

Granted, Invision had 6, and phpBB had 10 so far this year, but the difference is, I have to pay $200 for Invision, I pay nothing for phpBB. If phpBB had 100 and Invision had 6, then I'd say it's worth it, but when phpBB has 10, and Invision has 6, that's not worth $200 in my mind...
-- codemastr
AngryWolf
Posts: 554
Joined: Sat Mar 06, 2004 10:53 am
Location: Hungary
Contact:

Post by AngryWolf »

I have no problems with the current forum, it's fine for me, what I would be glad to see is a HTTPS connection, at least something to increase security in some degree.
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

Again, $$$$
-- codemastr
Phil
Posts: 5
Joined: Tue Mar 09, 2004 7:44 pm
Location: UK
Contact:

Post by Phil »

codemastr wrote:Again, $$$$
Wouldn't need to cost you a cent. I could sort this out for you at no charge...
Phil Veale
Phone: +44 800 8456 112
Email: email@philipveale.com
DeMiNe0
Posts: 50
Joined: Sat Feb 28, 2004 4:11 am

Post by DeMiNe0 »

There really is no reasen to have https on a forums, Its not like your putting in alot of sensative information. At most you'll be putting your forum password which SHOULD be a uniqe password.

I also have to disagree with the first post. First of all, you didnt defend your reasen for saying that phpbb is very unsecure.

phpBB i believe is a very secure board system. It really doesn't have as many security alerts as other boards(like your beloved invision board) and when somthing is found, i always get the patch email only a day or so later.

My main choice of Bulletin Board system would be Vbulletin but i dont have another $160 to shell out to buy another licence. I have 2 that im running on this server allready, so i don't think i can afford another.
AngryWolf
Posts: 554
Joined: Sat Mar 06, 2004 10:53 am
Location: Hungary
Contact:

Post by AngryWolf »

Of course I use unique passwords everywhere. HTTPS was only an idea, and as long as the admins here help me recovering my password when someone accidentally steals it, encryption isn't necessary for me. (As you said, forum passwords are not so important, therefore stealings aren't feasible either.)
DeMiNe0
Posts: 50
Joined: Sat Feb 28, 2004 4:11 am

Post by DeMiNe0 »

The board has an automated password recovery system. And the passwords are also encrypted in the database, so not even the webmaster can see passwords. Your passwords here are safe.
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

DeMiNe0 wrote:And the passwords are also encrypted in the database, so not even the webmaster can see passwords. Your passwords here are safe.
You can say that again. IIRC, phpBB uses the php md5() function to encrypt passwords.
Syzop
UnrealIRCd head coder
Posts: 1961
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Well before we decided that this was going to be official I already said phpBB was quite insecure (yes I agree it is, I've seen like >80 bugtraq posts about this in the past 3 years and there are like 20 vulns if not more)...
But the thing is... if it's hacked... so what? There's not really anything secret stored here and if someone is able to modify information in here it's not a "big problem" either (again: put it in perspective)... If our main site, my personal site (vulnscan.org) or one of our mirrors got hacked it's like 20x worse.
Of course that doesn't mean I don't care, no.. don't get me wrong. If I see a new security vuln (like recently) I notify other people immediately, it's just that this is not "critical infrastructure" ;).
Besides, I like phpBB ;).
DeMiNe0
Posts: 50
Joined: Sat Feb 28, 2004 4:11 am

Post by DeMiNe0 »

In a joint project by hotscripts.com and devshed, phpbb was analyized along with about 20+ other boards for functionality and security. It placed 3rd in the ranks of functionality, and 2nd in ways of security. VBulletin came in first for both, invision came in 5th for security, and 2nd for functionality. So i tryed to base my choice of BB's off that, and i also didn't want to spend any money on a board license.

If you know of any more free BB's that you think are werth a try, bring it up with codemastr and im sure he'll talk to me about it.
Syzop
UnrealIRCd head coder
Posts: 1961
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

No no I'm happy with phpBB :P.

It's just hard in general to make forums secure (XSS, cookies/session fun, SQL Injection, standard php/.. bugs). And if you want to make stuff secure you often have to disable a lot of functionality (avatars, codes [bold/underline, urls, etc]). Life sucks ;).
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

I'm happy with phpBB as well. It seems to do 99% of the stuff we want, and it's free. Sounds like a good deal to me.
-- codemastr
Locked