Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: phpBB Ban

from [Joseph Miller] Network Security [Permanent Link]
Subject: Re: phpBB Ban
Date: Wed, 20 Apr 2005 16:47:09 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recognize that most software applications have bugs in them.   The problem 
that I have with phpBB is that it is not just "software bugs", but a 
demonstrated lack of understanding of certain security concepts, particularly 
input validation and escaping for a SQL transaction.  Because it is a web 
program, a good hacker with a search engine bot can find thousands of 
vulnerable scripts in a matter of minutes and use them for what he chooses.  
I suggest that sysadmins look for alternative solutions unless they (or 
someone they trust in the security community) can vouch for the relative 
strength of the scripts' security.

As to the question about Windows, that is a question that you should really 
not ask me.  IMHO I think that for many small and large businesses, Windows 
is not the best solution for a server application.  Medium businesses can 
find convenience and comfort in the cost and familiarity of Windows servers, 
but I do think that just about any organization should look into alternative 
solutions.  Security comes in many forms and more and more organizations are 
looking into open source applications so that they can have the *security of 
mind* that some third party company doesn't have their data by the balls with 
a proprietary format.

- -Joseph Miller

On Wednesday 20 April 2005 11:49 am, Ole Martin Eide wrote:

Joseph Miller wrote:

The reason that I think that a ban would be important for a project such
as phpBB is because of its wide use.  One attacker could spend a single
day and attack hundreds or even thousands of websites that have pbpBB
using a single script and a web search engine.  This type of wide
deployment makes this program more of a risk than just a problem with one
or two servers.  This type of problem becomes global.


The use of 'Windows' is also widespread. Over the years it has been
patched more times than a human can count. Does this mean administrators
should enforce the use of other operating systems?

To make a sharp statement; most web scripts around has some kind of bug,
at some point, that will compromise the site and/or even more.

My view is that there will always be bugs, and people to find them and
use them. So the only thing we can do is to prepare for it to happen.
Thank god for mod_sec :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCZr/PmXZROF+EADURAlRQAJ4wLWnpU00njqAqOfRLRJ456dW5AACfYAqE
RV2g9t6Hy/RSgsW1B0Y8fAM=
=Wp9N
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: GMail blocking "executable" attachments, James Riden
Next by Date:  Re: phpBB Ban, Mark Susol Ultimate Creative Media
Previous by Thread:  Re: phpBB Ban, Ole Martin Eide
Next by Thread:  Re: phpBB Ban, Mark Susol Ultimate Creative Media
Indexes:  [Date] [Thread] [Top] [All Lists]