I need to secure forum. I previously used MwForum. It has existing reliability and a large attack surface. I looked at other existing forums first, but I realized that there was no way for me to assess security, I don't speak PHP and they are also under control of others.
This forum is now abandoned, is GPLv3 and gives explicit permission to fork, as long as the name is changed, but the license is not changed. I do speak Perl and use PostgreSQL. The forum works with several databases and has features that work with third parties (optionally) for features that I do not consider useful. It also optionally uses mod_perl. I want to strip out code for using all other databases and all code for using third party options. Such as reCaptcha and OpenID. Even turned off, it opens possible attack entries. I also want to remove mod_perl support, since Apache2 is extremely complex and could also provide an attack entry point. It uses a complex module for emails which I wish to discard and rework to specifically work with our OpenSMTPD. I want to make it work specifically with our base httpd, which will probably work just fine with outside code for http, but that is not a goal, just probably a benefit. As far as security with what will be left. As I saw in an old thread about using modules from CPAN, it was also pointed out that one cannot be certain how well tested a module really is for security. Some are well known and can be considered secure. Others may not have been properly tested well, if at all. Plus the existing Perl being used in the forum needs to be audited. As far as PostgreSQL, I do not have the skills to audit that code, at all. Since mod_perl is optionally used, the code is probably using good clearing of variables. However, since I did see some reliability issues, that most likely comes from some flaws in the code. I will shortly be putting the existing code up on github. Any help or suggestions would be very welcome. Thanks, Chris Bennett
