Security Holes in Common Forum Software Packages Exploited

Forum Moderators: rogerd

Message Too Old, No Replies

Security Holes in Common Forum Software Packages Exploited

Brett_Tabke

11:56 pm on Feb 2, 2006 (gmt 0)

[eweek.com...]

Poor deployment of security patches by administrators and the growing popularity of programs like phpBB are to blame, Netcraft said.
On Jan. 30, a bulletin board run by chip maker AMD was compromised by hackers and was used to distribute malicious code.
Those who visited the site, forums.amd.com, were prompted to download a file that exploited a recently patched vulnerability in Windows code used to process WMF (Windows Meta File) format image files, according to anti-virus firm F-Secure Inc. in Helsinki.

treeline

1:06 am on Feb 3, 2006 (gmt 0)

So can we buy BestBBS v3.39 to avoid these issues?

rogerd

3:45 am on Feb 3, 2006 (gmt 0)

The article seems to imply that it was a phpBB vulnerability, but the code on the AMD forum looks like Invision?

viggen

5:40 am on Feb 3, 2006 (gmt 0)

yup, AMD is defenitely using invision board...

I wonder if they (AMD) upgraded beginning of Jan the critical update IPS put online?

cheers
viggen

trillianjedi

1:52 pm on Feb 3, 2006 (gmt 0)

So can we buy BestBBS v3.39

I'm sure this is one of the reasons you can't buy it.

In fact, if it were my software, I wouldn't sell it for this very reason.

Part of the problem with security is having your software on someone elses PC, where, in a local setting, exploits can be more easily uncovered.

AlexK

4:13 pm on Feb 3, 2006 (gmt 0)

trillianjedi:

I'm sure this is one of the reasons you can't buy it ... Part of the problem with security is having your software on someone elses PC

Hmm, the Microsoft defence (security by obscurity).

If the issue is purely security, then I choose phpBB2. It has been hacked that often that it is the most tested, the most secure.

physics

4:57 pm on Feb 3, 2006 (gmt 0)

It has been hacked that often that it is the most tested, the most secure.

Because it has a history of gettting hacked it's more secure?!

AlexK

7:39 pm on Feb 3, 2006 (gmt 0)

physics:

Because it has a history of gettting hacked it's more secure?!

As long as those hacks are followed by fixes, then - yes!

treeline

11:32 pm on Feb 3, 2006 (gmt 0)

I think the history of repairing Internet Explorer issues shows the folly of this theory. Just because they've successfully fixed a large number of holes doesn't mean there aren't lots more to discover.

AlexK

5:43 am on Feb 4, 2006 (gmt 0)

Yikes, strong argument on MSIE, except for just one thing: M$ code is closed and thus--unless you are the Chinese Government--you cannot read it. phpBB2 code is open and freely published.

Thus, it gets fixed, as long as attention is paid to it.

physics

5:55 pm on Feb 4, 2006 (gmt 0)

I'd prefer an open source solution with less history of getting hacked (or hack density, i.e. hacks/number of users of the software out there), rather than more. Because somethings hacked a lot doesn't mean all of the holes are closed. It might mean that the code wasn't written with security in mind in the first place.

AlexK

5:06 pm on Feb 5, 2006 (gmt 0)

My main issue with phpBB2 is the difficulty of upgrading a heavily-modded system. With everything else - well, when I become perfect I'll start throwing stones.