• Registered: 2005-04-26
  • Posts: 4

Topic: Security Question

Hi,

I'm considering integrating PunBB into an upcoming open source project (it seems to be the best compromise between cleanly coded and feature-complete that I've found), but I'm concerned about security.  From what I can gather from the homepage, PunBB seems to have had security problems requiring updates around once a month recently (phpBB has published only 2 such security updates in the last 12 months, AFAICT).

Is PunBB secure enough to integrate into an application that will access a database that also contains sensitive user information?  What would I need to do in order to make it that secure?

Thanks for your help!

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Security Question

Simple quick answer: Yes, I think so smile
And don't trust what PHPBB people mark critical to be the only critical stuff, "arbitrary file unlink" sounds rather scary to me tongue

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: Security Question

security releases aren't bad, it just means rickard is addressing the problems ASAP

FluxBB.
Connorhd.co.uk.

Connorhd's Website

4 Reply by Paul

  • Paul
  • Senior Member
  • Offline
  • From: Wales, UK.
  • Registered: 2003-08-13
  • Posts: 3,089

Re: Security Question

You should also consider who are the most likely target for an attack.

5 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: Security Question

Paul wrote:

You should also consider who are the most likely target for an attack.

IIS running on Windows smile

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • Registered: 2005-04-26
  • Posts: 4

Re: Security Question

Connorhd wrote:

security releases aren't bad, it just means rickard is addressing the problems ASAP

Of course it's good to know that they're being dealt with immediately.  I guess my concern is that there are enough security bugs left in the code for one to be found every month.  If someone were to get unauthorized access to our database (or worse, our server) it could be a critical problem.

Personally, I don't know enough about all of the different potential security problems to do a security audit of the code -- otherwise I could just look through and fix anything I saw that looked like it could cause problems.  Maybe that makes me underqualified to work on code that accesses a critical database anyhow....

Actually, with that in mind, does anyone know of a good resource for learning about PHP security beyond addslashes() and register_globals and not including files based on request variables?

thx!

7 Reply by Frank H (edited by Frank H 2005-04-28 14:36)

  • Frank H
  • Former PunBB Developer
  • Offline
  • Registered: 2003-03-16
  • Posts: 1,423

Re: Security Question

one problem that you should consider is also PHP versions etc. They're as critical as the phpscripts themselves ...

(and I must say that I've seen a few phpBB boards getting '0wn3d' ... so the frequency of 'critical' bug updates isn't always the best thing to look at wink)


But if I would do such a critical thing that you seems to need, I'd use SSL/https, with login (not relying on the forum login only) ... as that will hopefully only let 'allowed' people to even reach the scripts ... and then ... sit down and look through all the code of each script, looking out for any vurnabilities, like how info is garthered and handled from the user. But things like PHP bugs should also be under consideration, I know of a vBulletin board that has problems due to PHP versions and bugs ... resulting in the only PHP version is possible to run due to security reasons is a beta, and that one locks up once in a while instead...

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: Security Question

is there any reason for punbb to use the same database as the rest of your site? if your worried couldn't you put it in another db with different username and pass?

FluxBB.
Connorhd.co.uk.

Connorhd's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Security Question

He wants to integrate it wink

  • From: MacTopia
  • Registered: 2004-03-12
  • Posts: 131

Re: Security Question

Here is a site that list some XSS things to test / try.
http://ha.ckers.org/xss.html

Every Day Above Ground Is A Good One!!
  • Registered: 2005-04-26
  • Posts: 4

Re: Security Question

Well, we need a single sign-on point (granted, this could be done with separate DBs).  But also, the application we're going to be integrating forums into will serve many many purposes for the organization, including e-commerce, tracking entry points into the site, and more.  The forums will be serving as support groups, and the ability to read and post in each forum will depend on some of the (yes, sensitive) data in the rest of the DB.

Moreover, the organization's administrators need to be able to run complex queries that use both forum tables and tables from the rest of the application we'll be building, which would be much more complicated to implement with multiple DBs.  And the database, with all of this info, including some parts of the forum data, will serve as the central data store for the organization (yes, we'll be backing it up AT LEAST weekly).

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Security Question

sankynet: It's difficult for me to post anything of value in this topic. Being the main developer, I am of course biased. Yes, PunBB has recently been updated quite a few times to deal with security vulnerabilities. There's no denying that. However, I like to believe the reason for this sudden rash of updates is that two or three people (can't remember) have been auditing the PunBB source code looking for vulnerabilitities. Over a period of a couple of weeks, I received e-mails from these people reporting vulnerabilities. These e-mails have stopped coming in. I have a few things on the list for 1.2.6, but they aren't critical.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2005-04-26
  • Posts: 4

Re: Security Question

middleground --

Thanks for the link.  That's a lot to look out for.  I've bookmarked it.



Rickard --

Thanks for the explanation (and thanks for all of your work on the software too smile ).  It's certainly reassuring (and it's great that someone's doing a security audit!).  I'll post again here to let you know if we end up using PunBB.