Security in phpBB
A response to a posting on PHP security by Filip de Waard.
The following is a reply I wrote to an article by Filip de Waard. Unfortunately, commenting was turned off on his weblog, so I could not comment on his weblog. Here is my comment: _buggy PHP scripts like PhpBB_ Of course, being part of the phpBB team, I want to respond to this. Though I definitely agree that there have been bugs (hard to deny that), I must say I've never seen it being blamed on PHP. On the other hand, I have seen, a year ago or so, a PHP bug being blamed on phpBB. It's easy to bash phpBB for containing bugs, but I have yet to encounter software that is completely bugfree. And especially when software is as popular as phpBB, people start actively looking for the bugs. This helps, when the bugs get reported to the team before being made public, but more often than not people who find bugs are more interested in their own 15 minutes of fame than the security of users worldwide, and they publish the issues without reporting them to the phpBB team first, so the team gets no opportunity to release a patch. And of course, there's a whole shitload of users that don't regularly update their phpBB software, rendering them open to all kinds of attacks that they need not be open for if only they had kept their software up-to-date. That said, security *is* an issue and I try to write my code as secure as possible, but sometimes when I see code I wrote 5 years ago, I shiver.November 24, 2005 - tags: technology
Comments
matthijs de Jonge: If the code in his post is really in phpBB, that is pretty damn terrible.However, this not checking of user input before handing it off to some sort of potentially dangerous system function isn’t unique to PHP alone. Matt’s FormMailer.cgi (if you remember that) was full of bugs like this, and that was written in Perl.
December 5, 2005
left: The example code is not in phpBB, it’s just example code of how bad it could be. Luckily, this is not in phpBB, or else phpBB would be in a really bad shape 
December 5, 2005
Filip de Waard: Hey Stefan,While there are some issues, I don’t think phpBB is totally rubbish. Additionally, I don’t blame all the phpBB developers (especially not you
for the stuff that went wrong.I wrote a response on my weblog:
http://www.filipdewaard.com/archives/36-Is-phpBB-insecure.html
I’d love to hear your opinion on it!
Cheers, Filip
December 20, 2005
left: Filip, I am getting the message: “Upgrading, please check back soon!!!”I’ve been getting this message for quite some time already. Upgrading something?
December 22, 2005
michael furniture : Thanks much for the great document. I am glad Ive taken the time to learn this.
Great post! Took my doubts!
April 19, 2012
Upcoming events
05-06-2012: Forum PHP
06-06-2012: Symfony Live Paris 2012 07-06-2012: Symfony Live Paris 2012 08-06-2012: Symfony Live Paris 2012 09-06-2012: Symfony Live Paris 2012 23-06-2012: PHP TestFest NL