Aquatic Plant Forum banner

1 - 12 of 12 Posts

·
Premium Member
Joined
·
3,966 Posts
Security was one of the reasons we moved over. I understand the defacing of phpBB.com was not caused by the phpBB2 software, but rather AWSTATS, a third-party weblog analyzer.
 

·
Registered
Joined
·
1,035 Posts
Discussion Starter #5
Art is right, of course.

But one must note, where one piece of software "ends" and another "starts" is a grey area in these days of web intergration. Indeed, it was not phpBB s/w but the stats s/w which formed the avenue of intrusion....

Note to users of Firefox that there is a URL spoofing problem about. Hopefully, there is a fix somewhere too.

Andrew Cribb
 

·
Registered
Joined
·
117 Posts
While vBulletin is nice, I have my doubts that it is any more secure than phpBB. phpBB is a well-written application, and I think it will become more and more secure over time, not less - the key thing is that they have a development team that is vigilant about closing these holes quickly. A lot of these site defacements come through vulnerabilities in other software like PHP itself or various add-on packages, etc. The bottom line is that the more publicly available software and scripts you have running on a site, the more vulnerable it is. APC has quite a lot of special features and custom modules, so it's something to watch out for.

No complex web software (vBulletin included) is 100% secure. It is very likely that there are more undiscovered security bugs in both phpBB and vBulletin. You don't want to let your guard down or assume you're protected just because you're running commercial software now.

FWIW. I'm a grad student specializing in computer security and I've read in detail about how the recent phpBB problems worked.
 

·
Premium Member
Joined
·
3,966 Posts
Mnemia,

VB has gone from 3.0.3 to 3.0.6 in just a few weeks because of security issues. I agree that no software is totally secure.

Security was a reason for our move, it wasn't the only one. VB is a much more mature product at this point in time. I'm sure when phpBB 3 is released, it will catch up.
 

·
Registered
Joined
·
117 Posts
Art_Giacosa said:
Mnemia,

VB has gone from 3.0.3 to 3.0.6 in just a few weeks because of security issues. I agree that no software is totally secure.

Security was a reason for our move, it wasn't the only one. VB is a much more mature product at this point in time. I'm sure when phpBB 3 is released, it will catch up.
Cool, I wasn't meaning to question the move. There are certainly good reasons to move to vBulletin besides just security (database performance is a big one from what I understand, as is sheer numbers of features and the quality of the search tool). There are some really big sites that run on phpBB (I've seen some forums with 50+ times the number of users, posts, and threads that this one has) but mostly they run on really powerful and expensive hardware. That particular forum runs on a quad Xeon machine with I think 8 GB of RAM (!).
 

·
Premium Member
Joined
·
3,966 Posts
The largest community, Gaia, runs on phpBB technically. However, it has been modified so much that it isn't close to the original software.

I still think phpBB2 is a good product and support the open source initiative. I just think vB is better now.
 

·
Registered
Joined
·
6,380 Posts
pineapple said:
Note to users of Firefox that there is a URL spoofing problem about. Hopefully, there is a fix somewhere too.

Andrew Cribb
Damn, it's getting tough out there. It's almost getting to be a universal thing to do a good share of your business online.
I tried to access our bank account yesterday, and Firefox said they couldn't communicate with the banks code, which I guess is better than having that info get hacked. It's just such a PITA. IE won't work at all for that sort of thing, so trying to stay up with the modern conveniences without compromising your security is a challenge, to say the least. [smilie=s:
 

·
Registered
Joined
·
117 Posts
If you click on View > Page Source in Firefox, it appears that you can verify the "real" identity of a site that is using the URL spoofing exploit (at least for me, the spoofing doesn't work there on a couple of sites that demonstrate the bug). Still sucks, but at least there's a way to check up on a site if you're feeling paranoid or uneasy about something you're seeing.

At least it isn't anything more serious that's wrong with it. It's easy to assume that you're totally safe when using Firefox (or Firefox + Linux in my case) but this just goes to show that's not always the case.
 
1 - 12 of 12 Posts
Top