Printable View
I am considering hosting a forum, but am concerned about the security of php-based software (like vbulletin).
Can anyone shed any insight as to what challenges I need to look for? Are there any features I should consider disabling?
Thx for your time.
Debaser
I'm not sure, i think it's diff with every package...
although i wouldn't suggest phpNuke!
I'm subscribed to Bugtraq and there is a new phpNuke vuln every week (sometimes two;))
that's all i really know, as i wrote my own BBS scripts (using perl, and the blowfish modules!)
-take it easy :)
phpBB is very secure. Try it. http://www.phpbb.com
I think in scrips like vbulletin, the most (common) danger is cross site scripting bugs. And sql injection. Just sign up for a decend bugtracking list and you should be fine. Disable things you think are not secure (like html code in posts). Backing up yer data is always usefull, for some unexpected bug. Watch out with mods and ads... Use them if you like, but don't just paste code everywere, not knowing what yer doing. Just take it easy and everything should be fine the first few time.
Thanks for the responses, guys. I'll look into your suggestions.
On a similar note, the chat rooms on these forums....are they relatively secure? I'm headed to Bugtraq now, but I've heard of someone nabbing user IPs during chat sessions. I know of scripts for things like that on IRC, but didn't know the forum's Java code could be tweaked by a user. Of course, I'm assuming what I heard is actually true. Could be someone's empty claims....
Debaser
bugtraq will only cover standard parts of the prebuilt system, when you start adding your own parts, you will have to code them correctly to prevent security holes. Take a look at www.owasp.org this web site is the best place for web application security. I also inculdes a very good paper on how to secure a web application.
I hope that points you in the right direction
SittingDuck