On Wed, Aug 8, 2012 at 12:07 PM, Karanbir Singh <mail-lists at karan.org> wrote: > On 08/08/2012 08:01 PM, John R. Dennison wrote: >> phpBB has one of the worst track records for forum packages with regards >> to security issues and they have, as Les mentioned, been promising to >> "fix" the heart of the problem for many, many years now. Quite a few >> years ago I grew tired of the "phpBB security hole of the week" game, >> transitioned everything to SMF, and never once looked back. I routinely >> turn down gigs that want phpBB if I am unable to convince them to go >> with SMF - it's just not worth the headaches. > > Is it possible to quantify this phpbb security issue ? > Yes, CVEs and looking at release history seems like a way to quantify it. As I understand it, this was really more of an issue with older 1.x, 2.x versions. phpBB 3.x underwent an external (to the phpBB team) security review, and as far as I've seen, they've not had a lot of problems since, and are pretty good/fast about addressing any potential security issues. -Jeff