[CentOS-devel] Forums

Wed Aug 8 19:23:52 UTC 2012
Ned Slider <ned at unixmail.co.uk>

On 08/08/12 20:07, Karanbir Singh wrote:
> On 08/08/2012 08:01 PM, John R. Dennison wrote:
>> phpBB has one of the worst track records for forum packages with regards
>> to security issues and they have, as Les mentioned, been promising to
>> "fix" the heart of the problem for many, many years now.  Quite a few
>> years ago I grew tired of the "phpBB security hole of the week" game,
>> transitioned everything to SMF, and never once looked back.  I routinely
>> turn down gigs that want phpBB if I am unable to convince them to go
>> with SMF - it's just not worth the headaches.
>
> Is it possible to quantify this phpbb security issue ?
>

Sure:

http://secunia.com/community/advisories/search/?search=phpBB
http://secunia.com/advisories/product/17998/?task=statistics

Looks like there's been 6 vulnerabilities (5 advisories) in the lifespan 
of the 3.x product (since 2008?). So just over one per year and 
importantly all have been fixed.

That seems pretty reasonable for a web based application to me. I was 
expecting it to be much higher than that.

In contrast, the current forum software (Xoops 2.x) has had 36 
vulnerabilities:

http://secunia.com/advisories/product/327/

of which 8% remain unpatched. Oops!