ned at unixmail.co.uk
Wed Aug 8 19:23:52 UTC 2012
On 08/08/12 20:07, Karanbir Singh wrote:
> On 08/08/2012 08:01 PM, John R. Dennison wrote:
>> phpBB has one of the worst track records for forum packages with regards
>> to security issues and they have, as Les mentioned, been promising to
>> "fix" the heart of the problem for many, many years now. Quite a few
>> years ago I grew tired of the "phpBB security hole of the week" game,
>> transitioned everything to SMF, and never once looked back. I routinely
>> turn down gigs that want phpBB if I am unable to convince them to go
>> with SMF - it's just not worth the headaches.
> Is it possible to quantify this phpbb security issue ?
Looks like there's been 6 vulnerabilities (5 advisories) in the lifespan
of the 3.x product (since 2008?). So just over one per year and
importantly all have been fixed.
That seems pretty reasonable for a web based application to me. I was
expecting it to be much higher than that.
In contrast, the current forum software (Xoops 2.x) has had 36
of which 8% remain unpatched. Oops!
More information about the CentOS-devel