1 Topic by IanN (edited by Paul 2006-09-20 15:15)

  • IanN
  • Junior Member
  • Offline
  • Registered: 2006-09-20
  • Posts: 2

Topic: Great forum, are you aware of the recent security alert?

Hi,

I've recently been looking into using punBB for our organisation, mainly due to the CSS based design and it's uncluttered interface.

Following discussions with our network team here they're happy to host the forum, but have brought to my attention the following security vulnerability: -

[EDIT by Paul]

How quickly are vulnerabilities like this normally patched? Also i take it from the licence that we'd be free to patch this ourselves?

Regards,

Ian

PS - Keep up the good work, the forum's great

2 Reply by Paul

  • Paul
  • Senior Member
  • Offline
  • From: Wales, UK.
  • Registered: 2003-08-13
  • Posts: 3,089

Re: Great forum, are you aware of the recent security alert?

"Genuine" vulnerabilities are fixed almost immediatelly. I've edited your post for obvious reasons and moved it as this is not a bug report. We do know about that security alert. It appears to be complete nonesense but is being checked out anyway. You can patch PunBB yourself.

3 Reply by IanN

  • IanN
  • Junior Member
  • Offline
  • Registered: 2006-09-20
  • Posts: 2

Re: Great forum, are you aware of the recent security alert?

Thanks paul,

Wasn't sure how serious it was but have sent an email to Rickard containing the full details.

Regards,

Ian

4 Reply by Smartys (edited by Smartys 2006-09-21 00:00)

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Great forum, are you aware of the recent security alert?

Rickard already knows, the issue has been discussed several times and (as far as anyone can determine) the bug does not actually exist. We're in the processing of verifying that information with the various lists, but the alleged vulnerability doesn't seem possible on PunBB tongue

Edit: Made the post a little easier to read tongue

  • sirena
  • sirena
  • Senior Member
  • Offline
  • Registered: 2006-04-06
  • Posts: 473

Re: Great forum, are you aware of the recent security alert?

IanN wrote:

How quickly are vulnerabilities like this normally patched? Also i take it from the licence that we'd be free to patch this ourselves?

FWIW, as a pun user, in my experience Rickard is pretty on the ball, in terms of being aware of security issues and fixing them promptly if they indeed are real vulns.

He's also quite receptive to being told about potential security issues, even though it may sometimes be a drag investigating some of the more obscure or poorly described ones.

And so far, the security track record of punBB re publicly known vulns, is pretty good, better probably than many of the larger forums.

Of course much of this may also be due to the lower profile of punBB, and consequently the lower number of hackers exposed to it and inclined to try and break it, rather than any guarantee about the security of its code.

So prudent installation, configuration and management of your punBB forum will still be required.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Great forum, are you aware of the recent security alert?

http://punbb.org/forums/viewtopic.php?id=13255
Vulnerability patched