On 08/08/12 20:07, Karanbir Singh wrote: > On 08/08/2012 08:01 PM, John R. Dennison wrote: >> phpBB has one of the worst track records for forum packages with regards >> to security issues and they have, as Les mentioned, been promising to >> "fix" the heart of the problem for many, many years now. Quite a few >> years ago I grew tired of the "phpBB security hole of the week" game, >> transitioned everything to SMF, and never once looked back. I routinely >> turn down gigs that want phpBB if I am unable to convince them to go >> with SMF - it's just not worth the headaches. > > Is it possible to quantify this phpbb security issue ? > Sure: http://secunia.com/community/advisories/search/?search=phpBB http://secunia.com/advisories/product/17998/?task=statistics Looks like there's been 6 vulnerabilities (5 advisories) in the lifespan of the 3.x product (since 2008?). So just over one per year and importantly all have been fixed. That seems pretty reasonable for a web based application to me. I was expecting it to be much higher than that. In contrast, the current forum software (Xoops 2.x) has had 36 vulnerabilities: http://secunia.com/advisories/product/327/ of which 8% remain unpatched. Oops!