Forum Vulnerabilities
Results 1 to 6 of 6

Thread: Forum Vulnerabilities

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    2

    Forum Vulnerabilities

    I am considering hosting a forum, but am concerned about the security of php-based software (like vbulletin).

    Can anyone shed any insight as to what challenges I need to look for? Are there any features I should consider disabling?

    Thx for your time.

    Debaser

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    I'm not sure, i think it's diff with every package...
    although i wouldn't suggest phpNuke!
    I'm subscribed to Bugtraq and there is a new phpNuke vuln every week (sometimes two)
    that's all i really know, as i wrote my own BBS scripts (using perl, and the blowfish modules!)

    -take it easy
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member
    Join Date
    Mar 2002
    Posts
    502
    phpBB is very secure. Try it. http://www.phpbb.com
    Bleh.

  4. #4
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    I think in scrips like vbulletin, the most (common) danger is cross site scripting bugs. And sql injection. Just sign up for a decend bugtracking list and you should be fine. Disable things you think are not secure (like html code in posts). Backing up yer data is always usefull, for some unexpected bug. Watch out with mods and ads... Use them if you like, but don't just paste code everywere, not knowing what yer doing. Just take it easy and everything should be fine the first few time.
    Double Dutch

  5. #5
    Junior Member
    Join Date
    Feb 2003
    Posts
    2
    Thanks for the responses, guys. I'll look into your suggestions.

    On a similar note, the chat rooms on these forums....are they relatively secure? I'm headed to Bugtraq now, but I've heard of someone nabbing user IPs during chat sessions. I know of scripts for things like that on IRC, but didn't know the forum's Java code could be tweaked by a user. Of course, I'm assuming what I heard is actually true. Could be someone's empty claims....

    Debaser

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    bugtraq will only cover standard parts of the prebuilt system, when you start adding your own parts, you will have to code them correctly to prevent security holes. Take a look at www.owasp.org this web site is the best place for web application security. I also inculdes a very good paper on how to secure a web application.

    I hope that points you in the right direction

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •