1

Topic: PunBB - Is it secure/safe to use?

Hi,

So I've been looking at all the open source forums out there and I really like the way punbb looks - simple, clean.

I'm VERY concerned about it from a security perspective: I fear using it in the way I want will almost guarantee a forum security compromise.

There's some missing features I definitely want in it, namely:
- MOST IMPORTANTLY:  Ability to add/upload inline attachments (images mostly).

- An easy to use BBcode (or something) editor: not everybody knows how various tags work off the top of their head
- Private messaging system.  This may not be 100% required, but would be nice.
- The ability to change the page/post layout without hacking the hell out of the code and making upgrades hard

All of these things are available as third party things I can install, but the install methods look horrible - manually edit files, etc.   Not only am I trusting third party code, but trying to manage upgrades of punbb and all the third party things I've put on it is going to be a bloody nightmare - I'll have to diff/edit a million files manually.  Ugh.

This is really putting me off using punbb.

Can anybody comment on this, please?  Maybe suggest known secure plugins I should use, etc?

2 (edited by guardian34 2007-03-02 09:52)

Re: PunBB - Is it secure/safe to use?

fixed wrote:

All of these things are available as third party things I can install, but the install methods look horrible - manually edit files, etc.   Not only am I trusting third party code, but trying to manage upgrades of punbb and all the third party things I've put on it is going to be a bloody nightmare - I'll have to diff/edit a million files manually.  Ugh.

http://blog.punbb.org/2007/02/14/mods-extensions/

Edit:

fixed wrote:

There's some missing features I definitely want in it, namely:
[attachments ? BBCode ? Private messages]

http://punbb.org/forums/viewtopic.php?pid=86126#p86126

fixed wrote:

The ability to change the page/post layout without ?

http://blog.punbb.org/2007/02/14/mods-e … comment-68

3 (edited by sirena 2007-03-03 02:04)

Re: PunBB - Is it secure/safe to use?

fixed wrote:

I'm VERY concerned about it from a security perspective: I fear using it in the way I want will almost guarantee a forum security compromise.

There's some missing features I definitely want in it, namely:
- MOST IMPORTANTLY:  Ability to add/upload inline attachments (images mostly).

- An easy to use BBcode (or something) editor: not everybody knows how various tags work off the top of their head
- Private messaging system.  This may not be 100% required, but would be nice.

You do see the contradiction in this, don't you.

You want a secure forum package, but you also want a kitchen sink of features that expose your forum to stuff like uploaded binaries and another layer of potentially dodgy PHP in the form of a private message system....

All things being equal, more code = more bugs = more vulns. It's hard to have your cake and eat it too, esp. with complex PHP or other web apps. You may have to compromise a bit with your requirements.

FWIW, PuBB is quite secure, at least in terms of reported bugs, in it's vanilla default state:
http://secunia.com/product/3700/

And of course it would be remiss of me if I didn't remind you that security has many layers.

puBB or any other forum runs on top of and/or alongside a whole heap of other stuff that you also need to worry about in terms of security too.

Even if punBB's code was bulletproof, punBB could still be hacked via vulnerabilities in your O/S, router, database, web server, firewall, mail server, scripting engines, DNS server, file-system permissions being set wrong, weak passwords etc etc etc etc, not to mention any vulnerabilities in any of the other web apps (eg a CMS) you (or anyone else on your server) may be running.

Re: PunBB - Is it secure/safe to use?

I haven't seen any real security issue in production in PunBB in over 2 years.

5

Re: PunBB - Is it secure/safe to use?

sirena wrote:

All things being equal, more code = more bugs = more vulns.

This is the truest statement of all, here's to light apps.