Tom, It pretty much breaks down to 3 questions:
1: will it be web facing at all (or are we looking at an internal server only) 2: Is this for company confidential information, or general chatter 3: What other products have you looked at? To be honest, i'd recommend Phorum http://phorum.org/ as its far more secure than phpBB (which incidentally i now use to teach people how not to produce web applications) Also, by adding another layer like mod_security, http://modsecurity.org also helps Daniel OWASP.org On 6/20/05, Moritz Naumann <[EMAIL PROTECTED]> wrote: > Tom Edwards wrote: > > I am new to this list and to security in general so please excuse my > > question. A friend told me that our forum software phpBB is not very > > secure and told me about this. Where can I get information on that? What > > must I do to make it secure? > > Hi Tom, > > many people are concerned about known and unknown security issues > related to phpBB. There have been a lot of security issues with it in > the past, have a look at > http://www.phpbb.com/security/final_reports.php > (or search the FD archives) for some of the latest. > > The assumption many people make is that if so many vulnerabilities are > constantly discovered on this software, it can be assumed that there > still are many left and this application must thus be considered > insecure in general. > > While I'm not saying this is a correct conclusion (and I'm also not > saying it was not), much less security issues have been discovered on > other wide-spread bulletin board softwares in the same time (which might > also be related to other factors such as their licensing terms and > pricing which make a comparison difficult, though). > > Hope this helps a bit, > Moritz > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
