Re: [Hampshire] LACNIC, ARIN, APNIC hackers hitting a "relev…

Página Principal
Autor: Hugo Mills
Data:  
Para: Hampshire LUG Discussion List
Assunto: Re: [Hampshire] LACNIC, ARIN, APNIC hackers hitting a "relevant touk only" web site

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x57adf100.hantslug.org.uk.19075': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Wed Jun 30 00:48:02 2010 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Wed, Jun 30, 2010 at 12:12:57AM +0100, Jacqui Caren-home wrote:
> Hugo Mills wrote:
> >    If you do go down this route, I would take a close look at the
> > security implications of the software you choose. The most obvious
> > forum app, phpBB, had a truly terrible security record when I looked
> > at it a while ago. I found another one called MyBB, which seems to
> > have developers with a rather better security outlook.

>
> I am on FD and phpBB is a common visitor there - not a good sign.


When I did my analysis, I picked several likely-looking apps, and
took a look at the previous year's CERT advisories for the candidates
I'd picked. phpBB had something like an order of magnitude more
entries than MyBB. On closer examination, the problems seemed to be
generally worse (SQL injection, rather than XSS, say), and MyBB seemed
to have a better policy and approach when I looked at the respective
developer forums for the two packages.

> Saying this, not sure if that is because it is so old, so commonly used or
> just plain bad.


I'd suggest one or other of the latter two. Probably a combination.

> The one I like is called fudforum but I have yet to run serius
> security tests on it. I do have some fuzzers etc and can set up vz's
> at home so can snapshot the vserver then run attacks against a datum
> etc. Just not had the free time yet.


I wouldn't necessarily do the fuzzing or pen testing myself, but
instead look at the historical record of reported/publicised problems,
the type of problems, and the devs' attitude to fixes. A category of
"security" in the discussion areas or bug tracker, and a prompt and
sane response are probably good things. Intermittent releases bundling
together fixes for multiple CERT advisories are probably a bad thing.

Hugo.

-- 
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
  PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
  --- My doctor tells me that I have a malformed public-duty gland, ---  
                and a natural deficiency in moral fibre.