I've done some work on phpBB security (http://seclists.org/lists/fulldisclosure/2005/Feb/0547.html, http://www.phpbb.com/security/final_reports.php?p=2) and would not personally commend them on their security record and responses. I've gone through the code base and there are probably no remaining obvious issues, but I am sure that there are many subtle errors remaining. The code is just not designed with security in mind.
I would also like to point out that they are liable to hide security issues that they consider non serious, and this has bitten them before (See highlight exploit. They ignored it for a while because they didn't think it could be exploited.) AnthraX101 On 6/20/05, Tom Edwards <[EMAIL PROTECTED]> wrote: > Hi, > > I am new to this list and to security in general so please excuse my > question. A friend told me that our forum software phpBB is not very secure > and told me about this. Where can I get information on that? What must I do > to make it secure? > > Thank you. > > Kind regards, > Tom Edwards, Manager > > _________________________________________________________________ > MSN Hotmail. Anmelden und gewinnen! http://www.msn.de/email/webbased/ Ihre > Chance, eines von 10 T-Mobile MDA II zu gewinnen! > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- AnthraX101 -- PGP Key ID# 0x4CD6D0BD Fingerprint: 8161 D008 3DAB 86C1 2CA3 AEDE 0E21 DBDE 4CD6 D0BD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
