I'm with you, they are on crack with this one...

[Replies] [Reply] [View by Thread] [Help]
[Back To Security]

Ret. Mar Ikioi

Regardless of what they think the risk is, security is about minimalization of risk. Any hole should be top priority where security is concerned. User session ID's expiring... are they actually serious? Increase the time limit then. Session IDs are NOT brain surgery.

Frankly, I've trusted phpBB because of quick response to security holes, but that reply makes me question their current direction seriously.

As for shared hosting, please be kind enough to inform them that variants of phpBB db's are included with many other systems, like Postnuke. To exploit phpBB's system, is to them give accesses to other areas outside the phpBB system, making it a doorway hack.

Further, shared phpBB db's are not uncommon. If an site owner only has one SQL db, but runs forums for subdomains, obviously, they will share that one db, and would have multiple admins for multiple levels with multiple abilities on multiple boards.

Very low priority. Someone needs to tell the phpBB team that regardless of features, an insecure board is worthless board, regardless of features... which is why phpBB has been a viable alternative to Invision. Invision has more features, but phpBB's response to bugs/holes has been really great. At least, up to this point.

Some points:

"If you're an admin why would you want to bother jumping through hoops to discover another users password? "

Someone tell this genius (sarcasm) that people sometimes share passwords with their e-mail, other sites, etc.

"I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!"

This guy must live in la-la land where everyone hosts with an unlimitted SQL provider, and all admins are root. Tell him to chat with me, a hosting provider, and I'll inform him of a little something I like to call... reality.

"To err is human, to screw up royally requires me!"

Yep, partner, you got that right.

That reply tantemount to the *nux community telling server owners, "Yeah, there is an exploit in chroot, but only if root executes it, so it's low priority." (Well, cause if cron runs as root, and they execute chroot statements for other user sites, then you have a big clusterf#$%!). *nix community wouldn't give some crap response like that, and users wouldn't stand for it.

So, yes, third party patchs are certainly welcomed, at least, by phpBB users. If anyone considers any security hole is "very very low priority", then they are not the person to be leading any discussion of security development in any product. They are apt to fit in well on some other project... like the next version of Windows. ;)

Replies:

phpBB 2.0.7a And Earlier Security Issues - Ker JeiAr 2004-03-22 04:23:47
- Some Fixes For These Issues - Ret. Ker JeiAr 2004-03-25 12:11:30
  - sweet man :) - LtKer Semper 2004-03-25 16:48:09
    - RE: sweet man :) - Ret. Ker JeiAr 2004-03-25 19:01:33
- Hmmmm ... - Ker JeiAr 2004-03-23 20:40:47
  - Hah. - Lt Obscurity 2004-03-24 03:17:41
- Want Some Opinions - Ker JeiAr 2004-03-23 05:18:00
  - RE: Want Some Opinions - Lt Obscurity 2004-03-23 07:46:48
    - >I'm with you, they are on crack with this one... - Ret. Mar Ikioi 2004-03-23 11:00:34 <
      - RE: I'm with you, they are on crack with this one... - Ker JeiAr 2004-03-23 17:14:55
      - Development Teams Reply - Lt Obscurity 2004-03-23 14:19:18
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:17:53
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:31:30
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 17:25:16
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 17:33:40
        RE: Development Teams Reply - Lt Obscurity 2004-03-23 18:15:38
        RE: Development Teams Reply - Ker JeiAr 2004-03-23 19:39:35
        RE: Development Teams Reply - Lt Obscurity 2004-03-24 03:14:15
      - Posted to their forum... - Ret. Mar Ikioi 2004-03-23 11:37:22
        RE: Posted to their forum... - Ker JeiAr 2004-03-23 17:49:48
        Argh if someone could delete the post previous - Lt Obscurity 2004-03-23 11:50:55
        Done :) - Ret. Ker JeiAr 2004-03-24 05:31:16
        Hah thanks... - Lt Obscurity 2004-03-24 06:04:35
    - RE: Want Some Opinions - Ker JeiAr 2004-03-23 08:05:01
      - To be honest... - Lt Obscurity 2004-03-23 08:21:38
        RE: To be honest... - Ker JeiAr 2004-03-23 08:32:53
        RE: To be honest... - Lt Obscurity 2004-03-23 08:40:09
        RE: To be honest... - Ker JeiAr 2004-03-23 08:54:05
        RE: To be honest... - Lt Obscurity 2004-03-23 09:07:57
        'respond' :D -nt- - LtKer Bastian 2004-03-23 11:16:40
        RE: To be honest... - Maj zaydana 2004-03-23 09:25:26
        GPL... just fork it. ;) -nt- - Ret. Mar Ikioi 2004-03-23 11:39:41
        Ikioi [more] - Lt Obscurity 2004-03-24 10:21:14

Guest:
Subject:
Message:	On 2004-03-23 11:00:34, Ikioi wrote >Regardless of what they think the risk is, security is about minimalization of risk. Any hole should be top priority where security is concerned. User session ID's expiring... are they actually serious? Increase the time limit then. Session IDs are NOT brain surgery. > >Frankly, I've trusted phpBB because of quick response to security holes, but that reply makes me question their current direction seriously. > >As for shared hosting, please be kind enough to inform them that variants of phpBB db's are included with many other systems, like Postnuke. To exploit phpBB's system, is to them give accesses to other areas outside the phpBB system, making it a doorway hack. > >Further, shared phpBB db's are not uncommon. If an site owner only has one SQL db, but runs forums for subdomains, obviously, they will share that one db, and would have multiple admins for multiple levels with multiple abilities on multiple boards. > >Very low priority. Someone needs to tell the phpBB team that regardless of features, an insecure board is worthless board, regardless of features... which is why phpBB has been a viable alternative to Invision. Invision has more features, but phpBB's response to bugs/holes has been really great. At least, up to this point. > > >Some points: > >"If you're an admin why would you want to bother jumping through hoops to discover another users password? " > >Someone tell this genius (sarcasm) that people sometimes share passwords with their e-mail, other sites, etc. > >"I fail to see why a 'shared hosting' environment increases the risks here. ... I know of no host which gives all users the same database!" > >This guy must live in la-la land where everyone hosts with an unlimitted SQL provider, and all admins are root. Tell him to chat with me, a hosting provider, and I'll inform him of a little something I like to call... reality. > >"To err is human, to screw up royally requires me!" > >Yep, partner, you got that right. > >That reply tantemount to the nux community telling server owners, "Yeah, there is an exploit in chroot, but only if root executes it, so it's low priority." (Well, cause if cron runs as root, and they execute chroot statements for other user sites, then you have a big clusterf#$%!). nix community wouldn't give some crap response like that, and users wouldn't stand for it. > >So, yes, third party patchs are certainly welcomed, at least, by phpBB users. If anyone considers any security hole is "very very low priority", then they are not the person to be leading any discussion of security development in any product. They are apt to fit in well on some other project... like the next version of Windows. ;)
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.01080 seconds