Aquatic Plant Forum banner
1 - 3 of 3 Posts

·
Registered
Joined
·
117 Posts
While vBulletin is nice, I have my doubts that it is any more secure than phpBB. phpBB is a well-written application, and I think it will become more and more secure over time, not less - the key thing is that they have a development team that is vigilant about closing these holes quickly. A lot of these site defacements come through vulnerabilities in other software like PHP itself or various add-on packages, etc. The bottom line is that the more publicly available software and scripts you have running on a site, the more vulnerable it is. APC has quite a lot of special features and custom modules, so it's something to watch out for.

No complex web software (vBulletin included) is 100% secure. It is very likely that there are more undiscovered security bugs in both phpBB and vBulletin. You don't want to let your guard down or assume you're protected just because you're running commercial software now.

FWIW. I'm a grad student specializing in computer security and I've read in detail about how the recent phpBB problems worked.
 

·
Registered
Joined
·
117 Posts
Art_Giacosa said:
Mnemia,

VB has gone from 3.0.3 to 3.0.6 in just a few weeks because of security issues. I agree that no software is totally secure.

Security was a reason for our move, it wasn't the only one. VB is a much more mature product at this point in time. I'm sure when phpBB 3 is released, it will catch up.
Cool, I wasn't meaning to question the move. There are certainly good reasons to move to vBulletin besides just security (database performance is a big one from what I understand, as is sheer numbers of features and the quality of the search tool). There are some really big sites that run on phpBB (I've seen some forums with 50+ times the number of users, posts, and threads that this one has) but mostly they run on really powerful and expensive hardware. That particular forum runs on a quad Xeon machine with I think 8 GB of RAM (!).
 

·
Registered
Joined
·
117 Posts
If you click on View > Page Source in Firefox, it appears that you can verify the "real" identity of a site that is using the URL spoofing exploit (at least for me, the spoofing doesn't work there on a couple of sites that demonstrate the bug). Still sucks, but at least there's a way to check up on a site if you're feeling paranoid or uneasy about something you're seeing.

At least it isn't anything more serious that's wrong with it. It's easy to assume that you're totally safe when using Firefox (or Firefox + Linux in my case) but this just goes to show that's not always the case.
 
1 - 3 of 3 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top