On Dec 12, 2007 3:50 PM, Eric Faerber <[EMAIL PROTECTED]> wrote: > phpBB1 was released in 2000. phpBB2 was released in 2002. phpBB3 will be > released in 2007. > > It wasn't until a couple years ago that they raised the minimum version > from PHP 3 to PHP 4 for phpBB2. phpBB is old. You can't say they could > predict every exploit that was going to happen when they first released > phpBB2 in 2002. > > You certainly can't predict every attack vector that may happen; however, phpBB and phpBB2 were poorly engineered from the start, and slapping security patches on every day or two because you didn't take even the minimum protection standards anyone halfway knowledgeable in sanitization expects is not the right answer. There's a reason why phpBB2 was one of the most banned web applications on shared hosting plans (next to phpNuke, and that's a club you don't want to be a part of). Although I can't comment on phpBB3 or even newer phpBB2, when I did do internal security audits of phpBB2, it was an absolute mess. I hope their engineers have learned quite a bit. From what you're saying, it sounds like they have somewhat - but I can tell you as an application security engineer that outsourcing your security handling is just the start. The engineers need to be trained themselves in best security practices on the web, which aren't always apparent.
_______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
