Re: Forum Software

On 12/30/05, Scott Marlowe <smarlowe(at)g2switchworks(dot)com> wrote:
>
>
> On 12/30/05, Raymond O'Donnell <rod(at)iol(dot)ie> wrote:
>
> QUOTE:
> I used it once (2004) because it supported Postgres. It got hacked in
> under a month. I admit that this was a one off but having searched
> around the Internet for various bulletin board software there seem to
> be no end of problems with phpbb with regards security. I have even
> come across articles claiming that the phpbb team try not to publish
> all their exploits but rather blame PHIP [0] itself and they have a
> tendency to ignore certain exploits in any releases that are not
> current.
> UNQUOTE:
>
> That's hardly fair. PostgreSQL also ignores security issues on older
> versions. If you're running 8.0.0 and a security fix came out in 8.0.1,
> it's your fault, not the PGDG folks.

Actually a security hole being found is not really anyones fault [0]
it just happens and then something has to be done by the user who has
the software on his system.
Would the people on here ignore requests for help regardless of
version. I am sure if the case was stong enough someone would give you
a hand, perhaps they wouldn't but I am not reading on blogs how the
PostgreSQL community ignores security issues or that PostgreSQL has a
particular problem with security. In fact searching for Postgres
exploit returnred 206000 results on google which considering
PostgreSQL is a great deal older than phpbb is not bad now is it.

> Also, as a big proponent of PHP, I have to admit that it's quite easy to
> write insecure software with it.

Its quite easy to write insecure software period. Choice of language
with regards security is an almost pointless discussion. See point
[0]. Its the ability of the surgeon in the majority of cases that
makes for a successful operation not his choice of scalpel [1].

> I've had nothing but good luck with PHPBB.

And I am truly happy for you. I would have loved phpBB to have been my
silver bullet. I may yet need to use it again because I can find
nothing else that will do the job. For all its faults its most
certainly filling a gap in the market.

I don't want to use phpBB and I will need to be dragged kicking and
screaming to drink from that well again but were needs must, better
the devil you know.

--
Harry
http://www.hjackson.org
http://www.uklug.co.uk

[0] Actually we could blame the software developers for the bugs but
that would be like blaming a surgeon for stitches. However, this does
not give the surgeon immunnity if he performs the operation with as
little apptitude as a drunk.

[1] Although choosing a chain saw for open heart surgery may put him
in the "limited ability" category.