i think a ban is a bit heavy handed, i can think of many packages out
there which dont have any security in place (but are still used)
On 18 Mar 2005, at 22:17, Joseph Miller wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Has anyone else here started using phpBB? After reading Andrew van der
Stock's message, I was quite concerned about the security of phpBB. I
had
just installed this on one of my websites, and I was in the process of
integrating it with my existing user database. After viewing very
little of
the code, I became extremely alarmed. I immediately deleted the forum
from
my website as this would be the perfect point of entry for an attacker
looking for weak security code structure. Their idea of a
mysql_escape_string() equivalent is a str_replace() that replaces all
single
quotes with two single quotes. This project is open source so it has
no
'security through obscurity' even if that were the chosen method.
Other code
did some htmlspecialchars() for escaping, then checked the particular
variable against explicit constants. How does this help? Either it
matches
or it doesn't, especially with single words that have no special
characters
in them. I am not a security expert nor do I purport to be one.
However,
this code, IMHO, demonstrates a complete misunderstanding of security.
I
don't think that they don't care about security, I just don't think
that they
understand it.
I recommend a ban of this project from all websites that need any type
of
security until a preliminary review can be done of the security
methods and
approaches taken by the project. Not that I'm volunteering for the
task, I'm
probably just going to find another, more secure project. Besides, I'm
unquestionably unqualified to do a code review for someone else's code.
- -Joseph Miller
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCO1NymXZROF+EADURAgJ0AJwOXtDbzdXpQS68Y4GHj7IOYoVa5QCeLbpz
mAQr39BD41Jjanv7KEDBpwk=
=WEEu
-----END PGP SIGNATURE-----
