On 08/08/12 20:07, Karanbir Singh wrote:
On 08/08/2012 08:01 PM, John R. Dennison wrote:
phpBB has one of the worst track records for forum packages with regards to security issues and they have, as Les mentioned, been promising to "fix" the heart of the problem for many, many years now. Quite a few years ago I grew tired of the "phpBB security hole of the week" game, transitioned everything to SMF, and never once looked back. I routinely turn down gigs that want phpBB if I am unable to convince them to go with SMF - it's just not worth the headaches.
Is it possible to quantify this phpbb security issue ?
Sure:
http://secunia.com/community/advisories/search/?search=phpBB http://secunia.com/advisories/product/17998/?task=statistics
Looks like there's been 6 vulnerabilities (5 advisories) in the lifespan of the 3.x product (since 2008?). So just over one per year and importantly all have been fixed.
That seems pretty reasonable for a web based application to me. I was expecting it to be much higher than that.
In contrast, the current forum software (Xoops 2.x) has had 36 vulnerabilities:
http://secunia.com/advisories/product/327/
of which 8% remain unpatched. Oops!