phpbb and security

August 31st, 2006. Tagged: phpBB

Man, do I have a lot of todos! I was going through my posting drafts on this blog and found this 1 year old piece (from Aug 10th, 2005). I remember I was responding to this blog posting, but at some point I desided that I don't have the time to finish it, so I saved it as a draft. Well, one year was not enough to finish it, so here is the a draft as part of my postings cleanup.


Nice posting, thanks! I just want to add something on the phpBB part of it. OK, PHP is the most popular, compared to the other web languages, hence the most security issues with it. Well, I can apply the same logic to phpBB and phpMyAdmin. Everybody uses phpMyAdmin and phpBB is probably the most popular BB package out there. phpBB is an open (therefore exposed) source package and being also a bulletin board package makes it a nice target. Any BB site out there has has its kids that hate it and want it hacked, defaced, DB-emptied, userbase-exposed or otherwise dead. So they start digging every single regexp looking for a "door". And they find it, one after the other. It's normal, we all know that there's no such thing as a secure or bug-free software.

I don't say that phpBB's code is perfect (is there a perfect code?!), but I don't think phpBB should pay for all the sins of all PHP devs out there. We all make mistakes, that's nature. And it's not nice to call each other names in such situations. Two examples - PEAR's recent XML_RPC expliot (you cannot say that Stig Bakken can't hack in PHP) and a blog posting about some omissions in this PHP security guide!


Update from Aug 31st, 2006:
I really like this piece Harry Fuecks wrote ovet at SitePont. Hopefully the "war" is over and people no longer point fingers at each other, but learn from each other's mistakes instead.

Being able to see many shades of grey rather than black and white could be another point to add to the ideal profile. PHP (and security) is a good case in point—what strikes you as a smarter response: screaming PHP sucks or understanding that it’s popular and doing something to improve the situation?

Tell your friends about this post: Facebook, Twitter, Google+

Sorry, comments disabled and hidden due to excessive spam. Working on restoring the existing comments...

Meanwhile, hit me up on twitter @stoyanstefanov