Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: phpBB Ban

from [Mark Susol Ultimate Creative Media] Network Security [Permanent Link]
Subject: Re: phpBB Ban
Date: Wed, 20 Apr 2005 16:52:27 -0400 
Invalid characters removed from From: Mark Susol | Ultimate Creative Media


Joseph Miller wrote:

The reason that I think that a ban would be important for a project such as
phpBB is because of its wide use.  One attacker could spend a single day and
attack hundreds or even thousands of websites that have pbpBB using a single
script and a web search engine.  This type of wide deployment makes this
program more of a risk than just a problem with one or two servers.  This
type of problem becomes global.


The use of 'Windows' is also widespread. Over the years it has been
patched more times than a human can count. Does this mean administrators
should enforce the use of other operating systems?

To make a sharp statement; most web scripts around has some kind of bug,
at some point, that will compromise the site and/or even more.

My view is that there will always be bugs, and people to find them and
use them. So the only thing we can do is to prepare for it to happen.
Thank god for mod_sec :)


phpBB is OpenSource software, so the source is available to all including
white hatters and black hatters. I think the problem we are seeing with
widespread attacks on phpBB etc. is an "unintended consequence" of the
OpenSource concept and googling.

However the lack of sysadmin knowledge by those implementing OpenSource
software is also to blame. If you take the STOCK install of any of these
projects and then don't follow up on keeping it "patched" as well as the
underlying server and the technologies that run the software, you will be
attacked and attacked often.

I try to write from scratch any scripts I need so the source isn't out there
to "study" and then easily found using a google search. But to write my own
forum software just isn't in my current scope of freetime. You have to ask
though with all the forum software out there, who might have the most to
gain by attacks on phpBB, maybe another competitor who has a licensing fee
to use it? Hmmm.....

I saw the beginning of this problem with things as simple as "formmail.pl"
.. People never thought to CHANGE THE NAME of this file and put in a
DISALLOW statement in a robots.txt file as a first measure to stop people
from finding the script file. The error logs on my clients websites are
filled with many attempts to find files such as formmail.pl..almost as much
as favicon.ico missing.

Mark Susol
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: phpBB Ban, Joseph Miller
Next by Date:  Re: suggesting passwds to users, SecurityFocus
Previous by Thread:  Re: phpBB Ban, Joseph Miller
Next by Thread:  GMail blocking "executable" attachments, Scovetta, Michael V
Indexes:  [Date] [Thread] [Top] [All Lists]