That may be, but the fact still remains that it is a widely known, widely used, open source application which makes it more vulnerable than a piece of software that is RIDDLED with security holes but hardly used.
..:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -----Original Message----- From: Kevin Aebig [mailto:[EMAIL PROTECTED] Sent: Saturday, February 25, 2006 1:28 PM To: CF-Talk Subject: RE: Various thoughts on chat, cfhttp, phpbb, and the encrypt function That's not completely true. I've done full scale phpBB integration and for the most part it's mainly insecure because of "feature creep". They started off with a good idea, but have put a lot of people at risk with the type of framework they put in place. !k -----Original Message----- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Sunday, February 19, 2006 7:38 PM To: CF-Talk Subject: RE: Various thoughts on chat, cfhttp, phpbb, and the encrypt function Wal-Mart is one of the most widely shopped at stores on the planet but that's just because there are so many of them out there ;-) PHPBB may get hacked occasionally but it's because its widely used and well known... not to mention, anyone can see the source. Usually, the hacks happen because people don't update or pay attention to notifications of vulnerabilities. I don't recall any of those notifications or updates fixing and security risks in the encryption it uses though. ....:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -----Original Message----- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, February 19, 2006 7:31 PM To: CF-Talk Subject: Re: Various thoughts on chat, cfhttp, phpbb, and the encrypt function I'd be worried about the reverse situation - PHPBB is one of the most hacked web apps on the planet. On 2/20/06, Rick Root <[EMAIL PROTECTED]> wrote: > In an effort to do something different with my chat app, I thought it'd > be cool to "integrate" with an EXTERNAL third party app - phpBB. > > I run a little blog... www.thecaniac.com (I'm a big fan of the Carolina > Hurricanes hockey club). I'm also a heavy participant in the > organizations official message boards, which use phpBB. > > So I put up a chat room on my blog, and I want people to use their phpbb > usernames.. but I don't want people to be able to masquerade as someone > else. > > So I wrote a little script that actually uses my message board login, > and using CFHTTP, logs into phpbb and sends a private message to the > user with a link they can use to access the chat room. The link > contains an "access key" which is encrypted and url-encoded, it contains > their username and a timestamp. > > And it worked! I was actually amazed. > > Question - how difficult is it to crack the encyption that CF uses by > default? Without knowing the key I used to encrypt it, of course. -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:233471 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
