[Mageia-dev] A comparison of forum software from a security POV

Mon Sep 27 08:19:03 CEST 2010

+I did a quick comparison of the most common forum software packages 
+(both commercial and FOSS) from a vulnerability point of view.
+
+I'm subscribed to the well known (every sysadmin that takes his/her job 
+seriously is subscribed to it) weekly SANS "@RISK: The Consensus 
+Security Alert" newsletter since 2000, so I have an mbox archive file 
+that contains almost 11 years worth of weekly alerts of software 
+vulnerabilities.
+
+A quick an easy way that I have used before to assess the vulnerability 
+of any software is to do a simple grep of the software name in this mbox 
+file and count the times that software gets mentioned. While this is not 
+100% scientific it gives a good approximation of the amount of 
+vulnerabilities a particular software has suffered from.
+
+Here are the results, from most vulnerable to least:
+
+grep -i phpbb sans-security_alert|wc -l
+    723
+grep -i vbulletin sans-security_alert|wc -l
+    256
+grep -i "Invision power board" sans-security_alert|wc -l
+    238
+grep -i mybb sans-security_alert|wc -l
+    176
+grep -i "Simple Machines Forum" sans-security_alert|wc -l
+     58
+grep -i fudforum sans-security_alert|wc -l
+      7
+
+All I can say, I'm surprised that the official Mandriva forum (which 
+uses phpBB) is still standing... :-)
+
+And this confirms another thing: FUDforum is really a hidden gem.
+
+